Overview

overview

10

Static

static

1

18262829011200.js

windows7-x64

10

18262829011200.js

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2024 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18262829011200.js

  • Size

    345KB

  • MD5

    301503edfb1ea723b231b416c2a81f0f

  • SHA1

    dd41fda85637d2593ef4aad407371ec830fe171d

  • SHA256

    544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45

  • SHA512

    f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5

  • SSDEEP

    6144:FSxcuKYMvWe+ch9Bi7PoOCSElpHMnOInDOWPZsngSKTj+c42pf:+cRYMv5+ctgEBmODYsw+h2pf

Score
10/10
strelastealer

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

    stealerstrela
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\18262829011200.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\18262829011200.js" "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat" && "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\system32\findstr.exe
        findstr /V marrywise ""C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat""
        3⤵
          PID:2892
        • C:\Windows\system32\certutil.exe
          certutil -f -decode magnificentdevelopment returnready.dll
          3⤵
            PID:2740
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 returnready.dll,m
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Windows\system32\rundll32.exe
              rundll32 returnready.dll,m
              4⤵
              • Loads dropped DLL
              PID:2572

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\magnificentdevelopment
        Filesize

        338KB

        MD5

        04d8d28e9039e6861017650bb59f24b3

        SHA1

        53741049bc23ab05658dc32ad54326a87dd0edee

        SHA256

        54d3f28c9044ca9b16d3584d7bfac00c65f8aa6369801b340e1a7348d4681bef

        SHA512

        05c9830335b82a5dd020e097e8fb3241e52d60875d951b13dfe82ad590c922ed6884ae5f9a1d2a6270c0d3456bc88ed8d373c5fdedca8a604f65ce986f00cf32

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\returnready.dll
        Filesize

        252KB

        MD5

        9499f14143b34ea7703c73b5f9b37013

        SHA1

        ceff6b19826c9a4e9b9e8cbcc512d5241a27825e

        SHA256

        e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1

        SHA512

        f14dec41f677fb3e2af064b4b7a6b3b15bec8429a831a78247513853d4ce7511ed37e89e52ebadbed03ab9115dcea3cc316b90e99c939d07402b5a554d722668

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\trousersperpetual.bat
        Filesize

        345KB

        MD5

        301503edfb1ea723b231b416c2a81f0f

        SHA1

        dd41fda85637d2593ef4aad407371ec830fe171d

        SHA256

        544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45

        SHA512

        f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5

        Download Submit
      • memory/2572-393-0x000007FEF6D60000-0x000007FEF6DA7000-memory.dmp
        Filesize

        284KB

        Download
      • memory/2572-394-0x0000000000140000-0x0000000000163000-memory.dmp
        Filesize

        140KB

        Download
      • memory/2572-395-0x0000000000140000-0x0000000000163000-memory.dmp
        Filesize

        140KB

        Download