Analysis Overview
SHA256
6a60f0539acd483d86cfa20ec38c44fef2e9a2ba0a29dee32f736797990e9926
Threat Level: Known bad
The file becomix.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 11:37
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-26 11:37
Reported
2023-10-26 11:43
Platform
win7-20231023-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js" "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat"
C:\Windows\system32\findstr.exe
findstr /V filthydam ""C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode developback committeelunchroom.dll
C:\Windows\system32\regsvr32.exe
regsvr32 committeelunchroom.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\farmtickle.bat
| MD5 | 23937572ef129eea43b202d55ae55889 |
| SHA1 | b9e0d1d51731669022536a43d78cdc3c9c8ab524 |
| SHA256 | 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae |
| SHA512 | dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1 |
C:\Users\Admin\AppData\Local\Temp\farmtickle.bat
| MD5 | 23937572ef129eea43b202d55ae55889 |
| SHA1 | b9e0d1d51731669022536a43d78cdc3c9c8ab524 |
| SHA256 | 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae |
| SHA512 | dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1 |
C:\Users\Admin\AppData\Local\Temp\developback
| MD5 | 6ee4d167b37fd33367f52f69940fac3e |
| SHA1 | 53399ce699eab939e374ffae539910a9c1727d0f |
| SHA256 | 57ef19edd0b8456a464e6e9428fa4d966145f15b626f230be5dd083c79c8efe0 |
| SHA512 | 6557e323c054bf8022e170aa8ad0e9c1b374a4cd32085321767e790a97203bc5b568f0df759c140e1d74aa16db9ab76d997007c94614973e5e1a33c03abe69b6 |
C:\Users\Admin\AppData\Local\Temp\committeelunchroom.dll
| MD5 | e25ee77124ff26a5167d28fd3c6493f7 |
| SHA1 | 1c40976c6950009eb4d36dd15799e973409e9639 |
| SHA256 | 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43 |
| SHA512 | 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98 |
\Users\Admin\AppData\Local\Temp\committeelunchroom.dll
| MD5 | e25ee77124ff26a5167d28fd3c6493f7 |
| SHA1 | 1c40976c6950009eb4d36dd15799e973409e9639 |
| SHA256 | 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43 |
| SHA512 | 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98 |
memory/1088-4956-0x000000006D7C0000-0x000000006DA92000-memory.dmp
memory/1088-4955-0x00000000001B0000-0x00000000001D1000-memory.dmp
memory/1088-4957-0x00000000001B0000-0x00000000001D1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-26 11:37
Reported
2023-10-26 11:43
Platform
win10v2004-20231025-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4224 wrote to memory of 4892 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4224 wrote to memory of 4892 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4892 wrote to memory of 4932 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4892 wrote to memory of 4932 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4892 wrote to memory of 2304 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4892 wrote to memory of 2304 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4892 wrote to memory of 2700 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 4892 wrote to memory of 2700 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js" "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat"
C:\Windows\system32\findstr.exe
findstr /V filthydam ""C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode developback committeelunchroom.dll
C:\Windows\system32\regsvr32.exe
regsvr32 committeelunchroom.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\farmtickle.bat
| MD5 | 23937572ef129eea43b202d55ae55889 |
| SHA1 | b9e0d1d51731669022536a43d78cdc3c9c8ab524 |
| SHA256 | 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae |
| SHA512 | dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1 |
C:\Users\Admin\AppData\Local\Temp\farmtickle.bat
| MD5 | 23937572ef129eea43b202d55ae55889 |
| SHA1 | b9e0d1d51731669022536a43d78cdc3c9c8ab524 |
| SHA256 | 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae |
| SHA512 | dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1 |
C:\Users\Admin\AppData\Local\Temp\developback
| MD5 | 6ee4d167b37fd33367f52f69940fac3e |
| SHA1 | 53399ce699eab939e374ffae539910a9c1727d0f |
| SHA256 | 57ef19edd0b8456a464e6e9428fa4d966145f15b626f230be5dd083c79c8efe0 |
| SHA512 | 6557e323c054bf8022e170aa8ad0e9c1b374a4cd32085321767e790a97203bc5b568f0df759c140e1d74aa16db9ab76d997007c94614973e5e1a33c03abe69b6 |
C:\Users\Admin\AppData\Local\Temp\committeelunchroom.dll
| MD5 | e25ee77124ff26a5167d28fd3c6493f7 |
| SHA1 | 1c40976c6950009eb4d36dd15799e973409e9639 |
| SHA256 | 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43 |
| SHA512 | 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98 |
C:\Users\Admin\AppData\Local\Temp\committeelunchroom.dll
| MD5 | e25ee77124ff26a5167d28fd3c6493f7 |
| SHA1 | 1c40976c6950009eb4d36dd15799e973409e9639 |
| SHA256 | 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43 |
| SHA512 | 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98 |
memory/2700-4955-0x00000000008B0000-0x00000000008D1000-memory.dmp
memory/2700-4956-0x000000006D7C0000-0x000000006DA92000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 11:37
Reported
2023-10-26 11:43
Platform
win7-20231025-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\becomix.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-26 11:37
Reported
2023-10-26 11:43
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\becomix.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |