Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
18262829011200.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
18262829011200.js
Resource
win10v2004-20241007-en
General
-
Target
18262829011200.js
-
Size
345KB
-
MD5
301503edfb1ea723b231b416c2a81f0f
-
SHA1
dd41fda85637d2593ef4aad407371ec830fe171d
-
SHA256
544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45
-
SHA512
f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5
-
SSDEEP
6144:FSxcuKYMvWe+ch9Bi7PoOCSElpHMnOInDOWPZsngSKTj+c42pf:+cRYMv5+ctgEBmODYsw+h2pf
Malware Config
Extracted
strela
193.109.85.231
-
url_path
/server.php
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537
Signatures
-
Detects Strela Stealer payload 1 IoCs
resource yara_rule behavioral2/memory/1884-390-0x00007FFF57600000-0x00007FFF57647000-memory.dmp family_strela -
Strela family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 1884 rundll32.exe -
pid Process 2008 certutil.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4092 4456 wscript.exe 84 PID 4456 wrote to memory of 4092 4456 wscript.exe 84 PID 4092 wrote to memory of 2356 4092 cmd.exe 89 PID 4092 wrote to memory of 2356 4092 cmd.exe 89 PID 4092 wrote to memory of 2008 4092 cmd.exe 90 PID 4092 wrote to memory of 2008 4092 cmd.exe 90 PID 4092 wrote to memory of 1896 4092 cmd.exe 91 PID 4092 wrote to memory of 1896 4092 cmd.exe 91 PID 1896 wrote to memory of 1884 1896 cmd.exe 92 PID 1896 wrote to memory of 1884 1896 cmd.exe 92
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\18262829011200.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\18262829011200.js" "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat" && "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\system32\findstr.exefindstr /V marrywise ""C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat""3⤵PID:2356
-
-
C:\Windows\system32\certutil.execertutil -f -decode magnificentdevelopment returnready.dll3⤵
- Deobfuscate/Decode Files or Information
PID:2008
-
-
C:\Windows\system32\cmd.execmd /c rundll32 returnready.dll,m3⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\rundll32.exerundll32 returnready.dll,m4⤵
- Loads dropped DLL
PID:1884
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD504d8d28e9039e6861017650bb59f24b3
SHA153741049bc23ab05658dc32ad54326a87dd0edee
SHA25654d3f28c9044ca9b16d3584d7bfac00c65f8aa6369801b340e1a7348d4681bef
SHA51205c9830335b82a5dd020e097e8fb3241e52d60875d951b13dfe82ad590c922ed6884ae5f9a1d2a6270c0d3456bc88ed8d373c5fdedca8a604f65ce986f00cf32
-
Filesize
252KB
MD59499f14143b34ea7703c73b5f9b37013
SHA1ceff6b19826c9a4e9b9e8cbcc512d5241a27825e
SHA256e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1
SHA512f14dec41f677fb3e2af064b4b7a6b3b15bec8429a831a78247513853d4ce7511ed37e89e52ebadbed03ab9115dcea3cc316b90e99c939d07402b5a554d722668
-
Filesize
345KB
MD5301503edfb1ea723b231b416c2a81f0f
SHA1dd41fda85637d2593ef4aad407371ec830fe171d
SHA256544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45
SHA512f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5