Malware Analysis Report

2025-04-14 07:59

Sample ID 231027-m6abdafe27
Target 125829377955553.7z
SHA256 479f1eb9f9de5eedcb6c05d3e9c6297567d215bfba5cd03a2846c1ce86a59946
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

479f1eb9f9de5eedcb6c05d3e9c6297567d215bfba5cd03a2846c1ce86a59946

Threat Level: Known bad

The file 125829377955553.7z was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-27 11:04

Signatures

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231023-en

Max time kernel

121s

Max time network

129s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231025-en

Max time kernel

140s

Max time network

158s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

160s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win10v2004-20231023-en

Max time kernel

147s

Max time network

165s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231020-en

Max time kernel

121s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js" "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat" && "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat"

C:\Windows\system32\findstr.exe

findstr /V curecarve ""C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode vivacioussecond partoverwrought.dll

C:\Windows\system32\regsvr32.exe

regsvr32 partoverwrought.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\pinphysical.bat

MD5 3db5b96e1c9cf4583ea95d83152fd173
SHA1 e48cd61c57d0140096840aeb199a300af6423936
SHA256 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16
SHA512 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb

C:\Users\Admin\AppData\Local\Temp\pinphysical.bat

MD5 3db5b96e1c9cf4583ea95d83152fd173
SHA1 e48cd61c57d0140096840aeb199a300af6423936
SHA256 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16
SHA512 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb

C:\Users\Admin\AppData\Local\Temp\vivacioussecond

MD5 acfa429912a2488f208734d0a9b39c55
SHA1 e4259ddb9c0c8ba037016c32da0782633b8536de
SHA256 d6ff5a3f5437351df4da8f9b335980d596299ac077f4b8c20062eb073af7bcfb
SHA512 087bcc0c74fd48fb76d1ad4e5513de69c4a8684e47324829d3b84e9f3a08fcc2a2c9629176d5f19bf4e1ecdc171eda535326b29d3bec16edb644021c0883ef10

C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll

MD5 ce18786cd944962504bc77bb973294f8
SHA1 63291da25e666fa08a063086b10dc42e593b8067
SHA256 a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99
SHA512 ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2

\Users\Admin\AppData\Local\Temp\partoverwrought.dll

MD5 ce18786cd944962504bc77bb973294f8
SHA1 63291da25e666fa08a063086b10dc42e593b8067
SHA256 a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99
SHA512 ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2

memory/2400-5607-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2400-5608-0x000000006D7C0000-0x000000006DBB6000-memory.dmp

memory/2400-5609-0x0000000000120000-0x0000000000141000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231020-en

Max time kernel

117s

Max time network

128s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231020-en

Max time kernel

142s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231020-en

Max time kernel

145s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 1940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4120 wrote to memory of 1940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1940 wrote to memory of 2496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1940 wrote to memory of 2496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1940 wrote to memory of 456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1940 wrote to memory of 456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1940 wrote to memory of 732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1940 wrote to memory of 732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js" "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat" && "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat"

C:\Windows\system32\findstr.exe

findstr /V curecarve ""C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode vivacioussecond partoverwrought.dll

C:\Windows\system32\regsvr32.exe

regsvr32 partoverwrought.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pinphysical.bat

MD5 3db5b96e1c9cf4583ea95d83152fd173
SHA1 e48cd61c57d0140096840aeb199a300af6423936
SHA256 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16
SHA512 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb

C:\Users\Admin\AppData\Local\Temp\pinphysical.bat

MD5 3db5b96e1c9cf4583ea95d83152fd173
SHA1 e48cd61c57d0140096840aeb199a300af6423936
SHA256 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16
SHA512 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb

C:\Users\Admin\AppData\Local\Temp\vivacioussecond

MD5 acfa429912a2488f208734d0a9b39c55
SHA1 e4259ddb9c0c8ba037016c32da0782633b8536de
SHA256 d6ff5a3f5437351df4da8f9b335980d596299ac077f4b8c20062eb073af7bcfb
SHA512 087bcc0c74fd48fb76d1ad4e5513de69c4a8684e47324829d3b84e9f3a08fcc2a2c9629176d5f19bf4e1ecdc171eda535326b29d3bec16edb644021c0883ef10

C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll

MD5 ce18786cd944962504bc77bb973294f8
SHA1 63291da25e666fa08a063086b10dc42e593b8067
SHA256 a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99
SHA512 ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2

C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll

MD5 ce18786cd944962504bc77bb973294f8
SHA1 63291da25e666fa08a063086b10dc42e593b8067
SHA256 a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99
SHA512 ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2

memory/732-5607-0x0000000000BD0000-0x0000000000BF1000-memory.dmp

memory/732-5608-0x000000006D7C0000-0x000000006DBB6000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231020-en

Max time kernel

143s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 428 wrote to memory of 116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 116 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 116 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 116 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 116 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 116 wrote to memory of 1352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 116 wrote to memory of 1352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js" "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat" && "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat"

C:\Windows\system32\findstr.exe

findstr /V strangestriped ""C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode upsetbusy womanselection.dll

C:\Windows\system32\regsvr32.exe

regsvr32 womanselection.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat

MD5 327a373e0e25a1c2092382a4afae2e08
SHA1 7ddd453a6bf635d46241700a34e51b8dba8f0d6c
SHA256 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee
SHA512 b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb

C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat

MD5 327a373e0e25a1c2092382a4afae2e08
SHA1 7ddd453a6bf635d46241700a34e51b8dba8f0d6c
SHA256 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee
SHA512 b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb

C:\Users\Admin\AppData\Local\Temp\upsetbusy

MD5 f183d3d74b21c168d931f48c372bf431
SHA1 864b7511699f642d0f0662be59c6154faf89fa10
SHA256 e4064513a6c8a3a27453d81903c55ae55f33eae855339473ff1bc5b6969e235e
SHA512 92db029907e42fd3a236c1860545907c0376aa5f1f68eff6671632271736ea14ec78fc16184317c3d8f990fdcd8d84555d86e92c2291822af66fd96072440311

C:\Users\Admin\AppData\Local\Temp\womanselection.dll

MD5 477f1313691864a4176c1666640dcccf
SHA1 39d05d2753ab358bf284ab43f32502aa11b35976
SHA256 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17
SHA512 d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b

C:\Users\Admin\AppData\Local\Temp\womanselection.dll

MD5 477f1313691864a4176c1666640dcccf
SHA1 39d05d2753ab358bf284ab43f32502aa11b35976
SHA256 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17
SHA512 d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b

memory/1352-7996-0x000000006D7C0000-0x000000006DC06000-memory.dmp

memory/1352-7995-0x0000000001080000-0x00000000010A1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231023-en

Max time kernel

118s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js" "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat" && "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat"

C:\Windows\system32\findstr.exe

findstr /V carelesspart ""C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode spraydevelop tailstitch.dll

C:\Windows\system32\regsvr32.exe

regsvr32 tailstitch.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\mercifullean.bat

MD5 06b78388e5785d4b2933672d4e9ded74
SHA1 fe7ce04cbcd5de3d4b17034149518c325441b6db
SHA256 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b
SHA512 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264

C:\Users\Admin\AppData\Local\Temp\mercifullean.bat

MD5 06b78388e5785d4b2933672d4e9ded74
SHA1 fe7ce04cbcd5de3d4b17034149518c325441b6db
SHA256 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b
SHA512 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264

C:\Users\Admin\AppData\Local\Temp\spraydevelop

MD5 00e6818fc3c6403b9e01ada5c7fa0aad
SHA1 bf9e6b1e58468109abab919553f7101e1a62ee8e
SHA256 e6da9f6b5dd70333dd333c24fdd72e74ea1352fb0fdfa6ed8fa58f3a3afa286a
SHA512 a05060086019d6455d458f79c631bb7d0b868b3bd57e9e2cef702e9ea73cd0c2996133fd7be30bc38c824719293f3ffe063008a1f2f26975efe80d2e749cc5aa

C:\Users\Admin\AppData\Local\Temp\tailstitch.dll

MD5 11554db63b6bce5e73c385980d5bb0f4
SHA1 f7b6a42212981b29ce90f9a92b9a83b30772f970
SHA256 f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b
SHA512 cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982

\Users\Admin\AppData\Local\Temp\tailstitch.dll

MD5 11554db63b6bce5e73c385980d5bb0f4
SHA1 f7b6a42212981b29ce90f9a92b9a83b30772f970
SHA256 f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b
SHA512 cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982

memory/1332-9831-0x000000006D7C0000-0x000000006DC24000-memory.dmp

memory/1332-9830-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/1332-9832-0x00000000001B0000-0x00000000001D1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231023-en

Max time kernel

122s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js" "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat"

C:\Windows\system32\findstr.exe

findstr /V pestcalculator ""C:\Users\Admin\AppData\Local\Temp\\farmossified.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode festivewaggish mournpastoral.dll

C:\Windows\system32\regsvr32.exe

regsvr32 mournpastoral.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\farmossified.bat

MD5 397ff04b5a64bd1f89b92819bb92e086
SHA1 94dbafbf953881732757956132c93b52b1940dfe
SHA256 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a
SHA512 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67

C:\Users\Admin\AppData\Local\Temp\farmossified.bat

MD5 397ff04b5a64bd1f89b92819bb92e086
SHA1 94dbafbf953881732757956132c93b52b1940dfe
SHA256 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a
SHA512 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67

C:\Users\Admin\AppData\Local\Temp\festivewaggish

MD5 341f3b9ea1746dff428bbc568ea0b6f5
SHA1 d52dd921199ce7d5a95632dfc768bf4aa19c209c
SHA256 5258b99c488332b011fcb6157de260a9e7fe439e05821e6995f795fb40f86067
SHA512 694c402e9314c270a83f33f20ca478367e22de927edded69643e35c3ea968b75f8710549a9c2162a075dde05b8aa5f460fce507b740e12e061f0926eb05d229f

C:\Users\Admin\AppData\Local\Temp\mournpastoral.dll

MD5 db4a7c58c2087a38447e198fb999c0f0
SHA1 ac9d1a3f574073c050ddb3afdcf6863c553f3579
SHA256 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f
SHA512 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425

\Users\Admin\AppData\Local\Temp\mournpastoral.dll

MD5 db4a7c58c2087a38447e198fb999c0f0
SHA1 ac9d1a3f574073c050ddb3afdcf6863c553f3579
SHA256 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f
SHA512 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425

memory/1468-5374-0x00000000002A0000-0x00000000002C1000-memory.dmp

memory/1468-5375-0x000000006D7C0000-0x000000006DA77000-memory.dmp

memory/1468-5376-0x00000000002A0000-0x00000000002C1000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win10v2004-20231020-en

Max time kernel

144s

Max time network

158s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win10v2004-20231023-en

Max time kernel

136s

Max time network

157s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231023-en

Max time kernel

118s

Max time network

124s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231020-en

Max time kernel

90s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 1512 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3944 wrote to memory of 1512 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1512 wrote to memory of 2376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1512 wrote to memory of 4900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1512 wrote to memory of 4900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1512 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1512 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js" "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat"

C:\Windows\system32\findstr.exe

findstr /V pestcalculator ""C:\Users\Admin\AppData\Local\Temp\\farmossified.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode festivewaggish mournpastoral.dll

C:\Windows\system32\regsvr32.exe

regsvr32 mournpastoral.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\farmossified.bat

MD5 397ff04b5a64bd1f89b92819bb92e086
SHA1 94dbafbf953881732757956132c93b52b1940dfe
SHA256 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a
SHA512 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67

C:\Users\Admin\AppData\Local\Temp\farmossified.bat

MD5 397ff04b5a64bd1f89b92819bb92e086
SHA1 94dbafbf953881732757956132c93b52b1940dfe
SHA256 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a
SHA512 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67

C:\Users\Admin\AppData\Local\Temp\festivewaggish

MD5 341f3b9ea1746dff428bbc568ea0b6f5
SHA1 d52dd921199ce7d5a95632dfc768bf4aa19c209c
SHA256 5258b99c488332b011fcb6157de260a9e7fe439e05821e6995f795fb40f86067
SHA512 694c402e9314c270a83f33f20ca478367e22de927edded69643e35c3ea968b75f8710549a9c2162a075dde05b8aa5f460fce507b740e12e061f0926eb05d229f

C:\Users\Admin\AppData\Local\Temp\mournpastoral.dll

MD5 db4a7c58c2087a38447e198fb999c0f0
SHA1 ac9d1a3f574073c050ddb3afdcf6863c553f3579
SHA256 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f
SHA512 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425

C:\Users\Admin\AppData\Local\Temp\mournpastoral.dll

MD5 db4a7c58c2087a38447e198fb999c0f0
SHA1 ac9d1a3f574073c050ddb3afdcf6863c553f3579
SHA256 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f
SHA512 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425

memory/2000-5375-0x000000006D7C0000-0x000000006DA77000-memory.dmp

memory/2000-5374-0x0000000000560000-0x0000000000581000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231020-en

Max time kernel

117s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js" "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat" && "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat"

C:\Windows\system32\findstr.exe

findstr /V dwxhhghdszkwxfyzjjjbfasobxdivpofqrabxdjslzwladvmtu ""C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

C:\Windows\system32\rundll32.exe

rundll32 iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll,x

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat

MD5 c41b0c8acc549b2356e6a0ef252955e8
SHA1 21e762814c7fad20f4c40b9c8a96cc5c4e92b096
SHA256 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b
SHA512 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72

C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat

MD5 c41b0c8acc549b2356e6a0ef252955e8
SHA1 21e762814c7fad20f4c40b9c8a96cc5c4e92b096
SHA256 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b
SHA512 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72

C:\Users\Admin\AppData\Local\Temp\ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc

MD5 bb8e896461540afc2b9c2267f2589536
SHA1 d53dd7d0fbd78cd40fdacca15c43ddcd87b593f3
SHA256 29a79976e3fd2c26fa3f572a5838768375796946ddca4ac0e0c4aef5e2f9b26a
SHA512 61900661ddc5c5fa2f3236a04884044c13d2ac28511f4bfd61013f9f63811b795187a3bec83d71459db17c553bee8ec81ae82944819aeeada4d43750505a8e34

C:\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

MD5 eaf3750d024b66e57d731ecd3eb4d6c2
SHA1 7f70594c99523d1e25e11424762d7b5f5adc6f43
SHA256 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA512 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de

\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

MD5 eaf3750d024b66e57d731ecd3eb4d6c2
SHA1 7f70594c99523d1e25e11424762d7b5f5adc6f43
SHA256 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA512 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de

\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

MD5 eaf3750d024b66e57d731ecd3eb4d6c2
SHA1 7f70594c99523d1e25e11424762d7b5f5adc6f43
SHA256 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA512 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de

\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

MD5 eaf3750d024b66e57d731ecd3eb4d6c2
SHA1 7f70594c99523d1e25e11424762d7b5f5adc6f43
SHA256 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA512 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de

\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

MD5 eaf3750d024b66e57d731ecd3eb4d6c2
SHA1 7f70594c99523d1e25e11424762d7b5f5adc6f43
SHA256 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA512 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de

memory/2600-44-0x000000006D7C0000-0x000000006D88E000-memory.dmp

memory/2600-45-0x0000000000100000-0x0000000000121000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231025-en

Max time kernel

143s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4972 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4464 wrote to memory of 4972 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4972 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4972 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4972 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4972 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4972 wrote to memory of 3112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4972 wrote to memory of 3112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js" "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat" && "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat"

C:\Windows\system32\findstr.exe

findstr /V dwxhhghdszkwxfyzjjjbfasobxdivpofqrabxdjslzwladvmtu ""C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

C:\Windows\system32\rundll32.exe

rundll32 iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll,x

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat

MD5 c41b0c8acc549b2356e6a0ef252955e8
SHA1 21e762814c7fad20f4c40b9c8a96cc5c4e92b096
SHA256 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b
SHA512 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72

C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat

MD5 c41b0c8acc549b2356e6a0ef252955e8
SHA1 21e762814c7fad20f4c40b9c8a96cc5c4e92b096
SHA256 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b
SHA512 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72

C:\Users\Admin\AppData\Local\Temp\ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc

MD5 bb8e896461540afc2b9c2267f2589536
SHA1 d53dd7d0fbd78cd40fdacca15c43ddcd87b593f3
SHA256 29a79976e3fd2c26fa3f572a5838768375796946ddca4ac0e0c4aef5e2f9b26a
SHA512 61900661ddc5c5fa2f3236a04884044c13d2ac28511f4bfd61013f9f63811b795187a3bec83d71459db17c553bee8ec81ae82944819aeeada4d43750505a8e34

C:\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

MD5 eaf3750d024b66e57d731ecd3eb4d6c2
SHA1 7f70594c99523d1e25e11424762d7b5f5adc6f43
SHA256 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA512 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de

C:\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll

MD5 eaf3750d024b66e57d731ecd3eb4d6c2
SHA1 7f70594c99523d1e25e11424762d7b5f5adc6f43
SHA256 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA512 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de

memory/3112-41-0x0000028A30D70000-0x0000028A30D91000-memory.dmp

memory/3112-42-0x000000006D7C0000-0x000000006D88E000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win7-20231023-en

Max time kernel

117s

Max time network

127s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231020-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js" "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat" && "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat"

C:\Windows\system32\findstr.exe

findstr /V bashfulspade ""C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode brokenprecede habitualworkable.dll

C:\Windows\system32\regsvr32.exe

regsvr32 habitualworkable.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat

MD5 84132ef0bb6ad44e0f34f0ffee42a5eb
SHA1 c0053fa7d8afbdbcc72ad21bc481e1bbea676216
SHA256 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415
SHA512 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b

C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat

MD5 84132ef0bb6ad44e0f34f0ffee42a5eb
SHA1 c0053fa7d8afbdbcc72ad21bc481e1bbea676216
SHA256 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415
SHA512 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b

C:\Users\Admin\AppData\Local\Temp\brokenprecede

MD5 22ae5a6ad3c032823b1035182ef6b563
SHA1 dfe710bfe8c8ca98d2a3c8ec247285d975536c55
SHA256 63acc839c86de404d4abba3b4380c1e5377e057589344ac0b19032fd5340c5be
SHA512 30ae54422334615d38fb9a32d104cf50b658314b37b85159b855b87e3f8fdb822fe1dfa577b5b2b26f487f015694a43a953d8ac9fbf030c364512514717219cd

C:\Users\Admin\AppData\Local\Temp\habitualworkable.dll

MD5 a33c0faac0c19fa9703d78d8bf4d38ed
SHA1 857acb13ffb952340ba066fbc6194db78b2c7e37
SHA256 ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b
SHA512 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf

\Users\Admin\AppData\Local\Temp\habitualworkable.dll

MD5 a33c0faac0c19fa9703d78d8bf4d38ed
SHA1 857acb13ffb952340ba066fbc6194db78b2c7e37
SHA256 ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b
SHA512 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf

memory/2832-5281-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2832-5282-0x000000006D7C0000-0x000000006DB68000-memory.dmp

memory/2832-5283-0x0000000000120000-0x0000000000141000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231025-en

Max time kernel

122s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js" "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat" && "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat"

C:\Windows\system32\findstr.exe

findstr /V strangestriped ""C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode upsetbusy womanselection.dll

C:\Windows\system32\regsvr32.exe

regsvr32 womanselection.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat

MD5 327a373e0e25a1c2092382a4afae2e08
SHA1 7ddd453a6bf635d46241700a34e51b8dba8f0d6c
SHA256 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee
SHA512 b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb

C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat

MD5 327a373e0e25a1c2092382a4afae2e08
SHA1 7ddd453a6bf635d46241700a34e51b8dba8f0d6c
SHA256 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee
SHA512 b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb

C:\Users\Admin\AppData\Local\Temp\upsetbusy

MD5 f183d3d74b21c168d931f48c372bf431
SHA1 864b7511699f642d0f0662be59c6154faf89fa10
SHA256 e4064513a6c8a3a27453d81903c55ae55f33eae855339473ff1bc5b6969e235e
SHA512 92db029907e42fd3a236c1860545907c0376aa5f1f68eff6671632271736ea14ec78fc16184317c3d8f990fdcd8d84555d86e92c2291822af66fd96072440311

C:\Users\Admin\AppData\Local\Temp\womanselection.dll

MD5 477f1313691864a4176c1666640dcccf
SHA1 39d05d2753ab358bf284ab43f32502aa11b35976
SHA256 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17
SHA512 d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b

\Users\Admin\AppData\Local\Temp\womanselection.dll

MD5 477f1313691864a4176c1666640dcccf
SHA1 39d05d2753ab358bf284ab43f32502aa11b35976
SHA256 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17
SHA512 d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b

memory/2656-7995-0x00000000004B0000-0x00000000004D1000-memory.dmp

memory/2656-7996-0x000000006D7C0000-0x000000006DC06000-memory.dmp

memory/2656-7997-0x00000000004B0000-0x00000000004D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231020-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js" "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat" && "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat"

C:\Windows\system32\findstr.exe

findstr /V rmoulbhzypessjkwzujxsjanxvefrotukiloadqzppmwujgzdf ""C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

C:\Windows\system32\rundll32.exe

rundll32 xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll,x

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat

MD5 0ab8b08e9c92bf1405755833d9409a95
SHA1 9fbf7143a55c83845815502c413e9eecdd74677e
SHA256 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607
SHA512 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13

C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat

MD5 0ab8b08e9c92bf1405755833d9409a95
SHA1 9fbf7143a55c83845815502c413e9eecdd74677e
SHA256 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607
SHA512 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13

C:\Users\Admin\AppData\Local\Temp\iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi

MD5 333e4540d003b671b0fab4bf108dfcc4
SHA1 bc3025b87eebd678e622955f6306fd5ce768e94a
SHA256 177fa2cfda97c4fd97f41b742e0ae0d5742c91d6c31fbce9b276e4b8fe5788f7
SHA512 f4498a3c1df15c426c381faa1c549549418061539ad4b87b20f7d996af1a7a599ddb36d05f650c28412e07d1d38d348d44afa2a94f604bed16ac5bf858ac988a

C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

MD5 0a7d89eb1cc9ed86183d6cc08c004ba3
SHA1 6a12bbfa326dd92c5118ed07536fb8908ccc4d02
SHA256 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8
SHA512 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

MD5 0a7d89eb1cc9ed86183d6cc08c004ba3
SHA1 6a12bbfa326dd92c5118ed07536fb8908ccc4d02
SHA256 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8
SHA512 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

MD5 0a7d89eb1cc9ed86183d6cc08c004ba3
SHA1 6a12bbfa326dd92c5118ed07536fb8908ccc4d02
SHA256 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8
SHA512 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

MD5 0a7d89eb1cc9ed86183d6cc08c004ba3
SHA1 6a12bbfa326dd92c5118ed07536fb8908ccc4d02
SHA256 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8
SHA512 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

MD5 0a7d89eb1cc9ed86183d6cc08c004ba3
SHA1 6a12bbfa326dd92c5118ed07536fb8908ccc4d02
SHA256 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8
SHA512 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

memory/2020-45-0x000000006D7C0000-0x000000006D887000-memory.dmp

memory/2020-44-0x0000000001CC0000-0x0000000001CE1000-memory.dmp

memory/2020-46-0x0000000001CC0000-0x0000000001CE1000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231023-en

Max time kernel

120s

Max time network

126s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win7-20231023-en

Max time kernel

120s

Max time network

130s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231023-en

Max time kernel

139s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 4980 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1548 wrote to memory of 4980 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4980 wrote to memory of 4116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4980 wrote to memory of 4116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4980 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4980 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4980 wrote to memory of 4956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4980 wrote to memory of 4956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js" "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat" && "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat"

C:\Windows\system32\findstr.exe

findstr /V carelesspart ""C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode spraydevelop tailstitch.dll

C:\Windows\system32\regsvr32.exe

regsvr32 tailstitch.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\mercifullean.bat

MD5 06b78388e5785d4b2933672d4e9ded74
SHA1 fe7ce04cbcd5de3d4b17034149518c325441b6db
SHA256 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b
SHA512 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264

C:\Users\Admin\AppData\Local\Temp\mercifullean.bat

MD5 06b78388e5785d4b2933672d4e9ded74
SHA1 fe7ce04cbcd5de3d4b17034149518c325441b6db
SHA256 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b
SHA512 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264

C:\Users\Admin\AppData\Local\Temp\spraydevelop

MD5 00e6818fc3c6403b9e01ada5c7fa0aad
SHA1 bf9e6b1e58468109abab919553f7101e1a62ee8e
SHA256 e6da9f6b5dd70333dd333c24fdd72e74ea1352fb0fdfa6ed8fa58f3a3afa286a
SHA512 a05060086019d6455d458f79c631bb7d0b868b3bd57e9e2cef702e9ea73cd0c2996133fd7be30bc38c824719293f3ffe063008a1f2f26975efe80d2e749cc5aa

C:\Users\Admin\AppData\Local\Temp\tailstitch.dll

MD5 11554db63b6bce5e73c385980d5bb0f4
SHA1 f7b6a42212981b29ce90f9a92b9a83b30772f970
SHA256 f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b
SHA512 cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982

C:\Users\Admin\AppData\Local\Temp\tailstitch.dll

MD5 11554db63b6bce5e73c385980d5bb0f4
SHA1 f7b6a42212981b29ce90f9a92b9a83b30772f970
SHA256 f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b
SHA512 cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982

memory/4956-9831-0x000000006D7C0000-0x000000006DC24000-memory.dmp

memory/4956-9830-0x0000000000F10000-0x0000000000F31000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231023-en

Max time kernel

90s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2144 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1800 wrote to memory of 2144 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2144 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2144 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2144 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2144 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2144 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2144 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js" "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat" && "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat"

C:\Windows\system32\findstr.exe

findstr /V rmoulbhzypessjkwzujxsjanxvefrotukiloadqzppmwujgzdf ""C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

C:\Windows\system32\rundll32.exe

rundll32 xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll,x

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat

MD5 0ab8b08e9c92bf1405755833d9409a95
SHA1 9fbf7143a55c83845815502c413e9eecdd74677e
SHA256 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607
SHA512 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13

C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat

MD5 0ab8b08e9c92bf1405755833d9409a95
SHA1 9fbf7143a55c83845815502c413e9eecdd74677e
SHA256 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607
SHA512 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13

C:\Users\Admin\AppData\Local\Temp\iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi

MD5 333e4540d003b671b0fab4bf108dfcc4
SHA1 bc3025b87eebd678e622955f6306fd5ce768e94a
SHA256 177fa2cfda97c4fd97f41b742e0ae0d5742c91d6c31fbce9b276e4b8fe5788f7
SHA512 f4498a3c1df15c426c381faa1c549549418061539ad4b87b20f7d996af1a7a599ddb36d05f650c28412e07d1d38d348d44afa2a94f604bed16ac5bf858ac988a

C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

MD5 0a7d89eb1cc9ed86183d6cc08c004ba3
SHA1 6a12bbfa326dd92c5118ed07536fb8908ccc4d02
SHA256 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8
SHA512 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

MD5 0a7d89eb1cc9ed86183d6cc08c004ba3
SHA1 6a12bbfa326dd92c5118ed07536fb8908ccc4d02
SHA256 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8
SHA512 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

memory/4188-41-0x000001865E120000-0x000001865E141000-memory.dmp

memory/4188-42-0x000000006D7C0000-0x000000006D887000-memory.dmp

memory/4188-43-0x000001865E120000-0x000001865E141000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win10v2004-20231023-en

Max time kernel

137s

Max time network

158s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win7-20231025-en

Max time kernel

120s

Max time network

126s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win7-20231020-en

Max time kernel

117s

Max time network

124s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231023-en

Max time kernel

115s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 1772 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4512 wrote to memory of 1772 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1772 wrote to memory of 4852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1772 wrote to memory of 4852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1772 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1772 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1772 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1772 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js" "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat" && "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat"

C:\Windows\system32\findstr.exe

findstr /V bashfulspade ""C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode brokenprecede habitualworkable.dll

C:\Windows\system32\regsvr32.exe

regsvr32 habitualworkable.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat

MD5 84132ef0bb6ad44e0f34f0ffee42a5eb
SHA1 c0053fa7d8afbdbcc72ad21bc481e1bbea676216
SHA256 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415
SHA512 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b

C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat

MD5 84132ef0bb6ad44e0f34f0ffee42a5eb
SHA1 c0053fa7d8afbdbcc72ad21bc481e1bbea676216
SHA256 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415
SHA512 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b

C:\Users\Admin\AppData\Local\Temp\brokenprecede

MD5 22ae5a6ad3c032823b1035182ef6b563
SHA1 dfe710bfe8c8ca98d2a3c8ec247285d975536c55
SHA256 63acc839c86de404d4abba3b4380c1e5377e057589344ac0b19032fd5340c5be
SHA512 30ae54422334615d38fb9a32d104cf50b658314b37b85159b855b87e3f8fdb822fe1dfa577b5b2b26f487f015694a43a953d8ac9fbf030c364512514717219cd

C:\Users\Admin\AppData\Local\Temp\habitualworkable.dll

MD5 a33c0faac0c19fa9703d78d8bf4d38ed
SHA1 857acb13ffb952340ba066fbc6194db78b2c7e37
SHA256 ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b
SHA512 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf

C:\Users\Admin\AppData\Local\Temp\habitualworkable.dll

MD5 a33c0faac0c19fa9703d78d8bf4d38ed
SHA1 857acb13ffb952340ba066fbc6194db78b2c7e37
SHA256 ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b
SHA512 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf

memory/1948-5281-0x0000000002500000-0x0000000002521000-memory.dmp

memory/1948-5282-0x000000006D7C0000-0x000000006DB68000-memory.dmp

memory/1948-5283-0x0000000002500000-0x0000000002521000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win7-20231023-en

Max time kernel

120s

Max time network

130s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:07

Platform

win10v2004-20231020-en

Max time kernel

129s

Max time network

155s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-10-27 11:04

Reported

2023-10-27 11:08

Platform

win10v2004-20231023-en

Max time kernel

140s

Max time network

157s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A