Analysis

  • max time kernel
    129s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 14:52

General

  • Target

    24946_15193478413494.js

  • Size

    1.9MB

  • MD5

    c587f03e38a7ca5ac023ef8745264eb4

  • SHA1

    a01598d9c8812f2609f0a868c8e44a81ad3c0685

  • SHA256

    1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a

  • SHA512

    e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

  • SSDEEP

    24576:z7wlkCvWJPN4RQjEdsFCOlJ+IbY68A7ckHsgPp2K9mkkCJzIrytG7sjxsSzMYOnY:ojTUwehMs

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\system32\findstr.exe
        findstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""
        3⤵
          PID:3268
        • C:\Windows\system32\certutil.exe
          certutil -f -decode insidiouswall ladybugwork.dll
          3⤵
            PID:4360
          • C:\Windows\system32\rundll32.exe
            rundll32 ladybugwork.dll,main
            3⤵
            • Loads dropped DLL
            PID:3196

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\insidiouswall

        Filesize

        1.3MB

        MD5

        73c7a5a0060662b6d39adb4933d83d7e

        SHA1

        97c0a2102a6398047b0256316f235279e74afe3d

        SHA256

        dfd5b00748f07ce813bbf47c4128912ed5517b1e9fd1a1d6f5eeb6c4e2e751b5

        SHA512

        629b6439e44a4ba8dc502228ca269a8e9e8b7ea9b7459b2565c467d0ed059db8cf0f58f25d7cd7c4892cae52c8c52f87c818e4cd36235d7c648d5b27cb450084

      • C:\Users\Admin\ladybugwork.dll

        Filesize

        1007KB

        MD5

        6dcd37226bb68e40f5b6e58361bb0210

        SHA1

        bb2a47f726aa56a658822ce575b5363f5257047f

        SHA256

        639e341b9fc9d256a502d91b784798e09c77fabe6347567a8bbff9c0819c9037

        SHA512

        203ee3765f0073ae0d246cb0c4b6eab7d9d989a6487baef91bf8e52d57ee1d033564b0fee519612178e6343f3e1884bc16f959f2ea967b317cafba0048febf7f

      • C:\Users\Admin\ladybugwork.dll

        Filesize

        1.3MB

        MD5

        172a0cf1298ee04df575d6fd591ec63c

        SHA1

        29fab1e4477846d226c7e81994958137992a6aed

        SHA256

        f7df69f6ccb0e06757846ef8e5d4e02026757981b3cdcc7dcf4fd1598c24222c

        SHA512

        6cc1740825c4da4d3623dd982613c7581410d007d37ac76277683592f562e080101cd1eee40a1b96fd86683b5db887452596fd87e413c6c6570dcac9113dfae8

      • C:\Users\Admin\vaguetongue.bat

        Filesize

        1.9MB

        MD5

        c587f03e38a7ca5ac023ef8745264eb4

        SHA1

        a01598d9c8812f2609f0a868c8e44a81ad3c0685

        SHA256

        1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a

        SHA512

        e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

      • memory/3196-2006-0x000001DA86B00000-0x000001DA86B23000-memory.dmp

        Filesize

        140KB

      • memory/3196-2005-0x00007FFF3C0F0000-0x00007FFF3C262000-memory.dmp

        Filesize

        1.4MB

      • memory/3196-2007-0x000001DA86B00000-0x000001DA86B23000-memory.dmp

        Filesize

        140KB