Analysis Overview
SHA256
479f1eb9f9de5eedcb6c05d3e9c6297567d215bfba5cd03a2846c1ce86a59946
Threat Level: Known bad
The file 125829377955553.7z was found to be: Known bad.
Malicious Activity Summary
Strela
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-27 11:04
Signatures
Analysis: behavioral25
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231023-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231025-en
Max time kernel
140s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win10v2004-20231020-en
Max time kernel
150s
Max time network
160s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win10v2004-20231023-en
Max time kernel
147s
Max time network
165s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231020-en
Max time kernel
121s
Max time network
130s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js" "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat" && "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat"
C:\Windows\system32\findstr.exe
findstr /V curecarve ""C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode vivacioussecond partoverwrought.dll
C:\Windows\system32\regsvr32.exe
regsvr32 partoverwrought.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\pinphysical.bat
| MD5 | 3db5b96e1c9cf4583ea95d83152fd173 |
| SHA1 | e48cd61c57d0140096840aeb199a300af6423936 |
| SHA256 | 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16 |
| SHA512 | 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb |
C:\Users\Admin\AppData\Local\Temp\pinphysical.bat
| MD5 | 3db5b96e1c9cf4583ea95d83152fd173 |
| SHA1 | e48cd61c57d0140096840aeb199a300af6423936 |
| SHA256 | 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16 |
| SHA512 | 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb |
C:\Users\Admin\AppData\Local\Temp\vivacioussecond
| MD5 | acfa429912a2488f208734d0a9b39c55 |
| SHA1 | e4259ddb9c0c8ba037016c32da0782633b8536de |
| SHA256 | d6ff5a3f5437351df4da8f9b335980d596299ac077f4b8c20062eb073af7bcfb |
| SHA512 | 087bcc0c74fd48fb76d1ad4e5513de69c4a8684e47324829d3b84e9f3a08fcc2a2c9629176d5f19bf4e1ecdc171eda535326b29d3bec16edb644021c0883ef10 |
C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll
| MD5 | ce18786cd944962504bc77bb973294f8 |
| SHA1 | 63291da25e666fa08a063086b10dc42e593b8067 |
| SHA256 | a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99 |
| SHA512 | ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2 |
\Users\Admin\AppData\Local\Temp\partoverwrought.dll
| MD5 | ce18786cd944962504bc77bb973294f8 |
| SHA1 | 63291da25e666fa08a063086b10dc42e593b8067 |
| SHA256 | a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99 |
| SHA512 | ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2 |
memory/2400-5607-0x0000000000120000-0x0000000000141000-memory.dmp
memory/2400-5608-0x000000006D7C0000-0x000000006DBB6000-memory.dmp
memory/2400-5609-0x0000000000120000-0x0000000000141000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231020-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231020-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231020-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4120 wrote to memory of 1940 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4120 wrote to memory of 1940 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1940 wrote to memory of 2496 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1940 wrote to memory of 2496 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1940 wrote to memory of 456 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1940 wrote to memory of 456 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1940 wrote to memory of 732 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 1940 wrote to memory of 732 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js" "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat" && "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat"
C:\Windows\system32\findstr.exe
findstr /V curecarve ""C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode vivacioussecond partoverwrought.dll
C:\Windows\system32\regsvr32.exe
regsvr32 partoverwrought.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\pinphysical.bat
| MD5 | 3db5b96e1c9cf4583ea95d83152fd173 |
| SHA1 | e48cd61c57d0140096840aeb199a300af6423936 |
| SHA256 | 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16 |
| SHA512 | 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb |
C:\Users\Admin\AppData\Local\Temp\pinphysical.bat
| MD5 | 3db5b96e1c9cf4583ea95d83152fd173 |
| SHA1 | e48cd61c57d0140096840aeb199a300af6423936 |
| SHA256 | 6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16 |
| SHA512 | 6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb |
C:\Users\Admin\AppData\Local\Temp\vivacioussecond
| MD5 | acfa429912a2488f208734d0a9b39c55 |
| SHA1 | e4259ddb9c0c8ba037016c32da0782633b8536de |
| SHA256 | d6ff5a3f5437351df4da8f9b335980d596299ac077f4b8c20062eb073af7bcfb |
| SHA512 | 087bcc0c74fd48fb76d1ad4e5513de69c4a8684e47324829d3b84e9f3a08fcc2a2c9629176d5f19bf4e1ecdc171eda535326b29d3bec16edb644021c0883ef10 |
C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll
| MD5 | ce18786cd944962504bc77bb973294f8 |
| SHA1 | 63291da25e666fa08a063086b10dc42e593b8067 |
| SHA256 | a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99 |
| SHA512 | ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2 |
C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll
| MD5 | ce18786cd944962504bc77bb973294f8 |
| SHA1 | 63291da25e666fa08a063086b10dc42e593b8067 |
| SHA256 | a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99 |
| SHA512 | ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2 |
memory/732-5607-0x0000000000BD0000-0x0000000000BF1000-memory.dmp
memory/732-5608-0x000000006D7C0000-0x000000006DBB6000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231020-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 428 wrote to memory of 116 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 428 wrote to memory of 116 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 116 wrote to memory of 3064 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 116 wrote to memory of 3064 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 116 wrote to memory of 1456 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 116 wrote to memory of 1456 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 116 wrote to memory of 1352 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 116 wrote to memory of 1352 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js" "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat" && "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat"
C:\Windows\system32\findstr.exe
findstr /V strangestriped ""C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode upsetbusy womanselection.dll
C:\Windows\system32\regsvr32.exe
regsvr32 womanselection.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat
| MD5 | 327a373e0e25a1c2092382a4afae2e08 |
| SHA1 | 7ddd453a6bf635d46241700a34e51b8dba8f0d6c |
| SHA256 | 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee |
| SHA512 | b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb |
C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat
| MD5 | 327a373e0e25a1c2092382a4afae2e08 |
| SHA1 | 7ddd453a6bf635d46241700a34e51b8dba8f0d6c |
| SHA256 | 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee |
| SHA512 | b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb |
C:\Users\Admin\AppData\Local\Temp\upsetbusy
| MD5 | f183d3d74b21c168d931f48c372bf431 |
| SHA1 | 864b7511699f642d0f0662be59c6154faf89fa10 |
| SHA256 | e4064513a6c8a3a27453d81903c55ae55f33eae855339473ff1bc5b6969e235e |
| SHA512 | 92db029907e42fd3a236c1860545907c0376aa5f1f68eff6671632271736ea14ec78fc16184317c3d8f990fdcd8d84555d86e92c2291822af66fd96072440311 |
C:\Users\Admin\AppData\Local\Temp\womanselection.dll
| MD5 | 477f1313691864a4176c1666640dcccf |
| SHA1 | 39d05d2753ab358bf284ab43f32502aa11b35976 |
| SHA256 | 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17 |
| SHA512 | d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b |
C:\Users\Admin\AppData\Local\Temp\womanselection.dll
| MD5 | 477f1313691864a4176c1666640dcccf |
| SHA1 | 39d05d2753ab358bf284ab43f32502aa11b35976 |
| SHA256 | 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17 |
| SHA512 | d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b |
memory/1352-7996-0x000000006D7C0000-0x000000006DC06000-memory.dmp
memory/1352-7995-0x0000000001080000-0x00000000010A1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231023-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js" "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat" && "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat"
C:\Windows\system32\findstr.exe
findstr /V carelesspart ""C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode spraydevelop tailstitch.dll
C:\Windows\system32\regsvr32.exe
regsvr32 tailstitch.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\mercifullean.bat
| MD5 | 06b78388e5785d4b2933672d4e9ded74 |
| SHA1 | fe7ce04cbcd5de3d4b17034149518c325441b6db |
| SHA256 | 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b |
| SHA512 | 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264 |
C:\Users\Admin\AppData\Local\Temp\mercifullean.bat
| MD5 | 06b78388e5785d4b2933672d4e9ded74 |
| SHA1 | fe7ce04cbcd5de3d4b17034149518c325441b6db |
| SHA256 | 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b |
| SHA512 | 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264 |
C:\Users\Admin\AppData\Local\Temp\spraydevelop
| MD5 | 00e6818fc3c6403b9e01ada5c7fa0aad |
| SHA1 | bf9e6b1e58468109abab919553f7101e1a62ee8e |
| SHA256 | e6da9f6b5dd70333dd333c24fdd72e74ea1352fb0fdfa6ed8fa58f3a3afa286a |
| SHA512 | a05060086019d6455d458f79c631bb7d0b868b3bd57e9e2cef702e9ea73cd0c2996133fd7be30bc38c824719293f3ffe063008a1f2f26975efe80d2e749cc5aa |
C:\Users\Admin\AppData\Local\Temp\tailstitch.dll
| MD5 | 11554db63b6bce5e73c385980d5bb0f4 |
| SHA1 | f7b6a42212981b29ce90f9a92b9a83b30772f970 |
| SHA256 | f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b |
| SHA512 | cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982 |
\Users\Admin\AppData\Local\Temp\tailstitch.dll
| MD5 | 11554db63b6bce5e73c385980d5bb0f4 |
| SHA1 | f7b6a42212981b29ce90f9a92b9a83b30772f970 |
| SHA256 | f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b |
| SHA512 | cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982 |
memory/1332-9831-0x000000006D7C0000-0x000000006DC24000-memory.dmp
memory/1332-9830-0x00000000001B0000-0x00000000001D1000-memory.dmp
memory/1332-9832-0x00000000001B0000-0x00000000001D1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231023-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js" "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat"
C:\Windows\system32\findstr.exe
findstr /V pestcalculator ""C:\Users\Admin\AppData\Local\Temp\\farmossified.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode festivewaggish mournpastoral.dll
C:\Windows\system32\regsvr32.exe
regsvr32 mournpastoral.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\farmossified.bat
| MD5 | 397ff04b5a64bd1f89b92819bb92e086 |
| SHA1 | 94dbafbf953881732757956132c93b52b1940dfe |
| SHA256 | 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a |
| SHA512 | 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67 |
C:\Users\Admin\AppData\Local\Temp\farmossified.bat
| MD5 | 397ff04b5a64bd1f89b92819bb92e086 |
| SHA1 | 94dbafbf953881732757956132c93b52b1940dfe |
| SHA256 | 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a |
| SHA512 | 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67 |
C:\Users\Admin\AppData\Local\Temp\festivewaggish
| MD5 | 341f3b9ea1746dff428bbc568ea0b6f5 |
| SHA1 | d52dd921199ce7d5a95632dfc768bf4aa19c209c |
| SHA256 | 5258b99c488332b011fcb6157de260a9e7fe439e05821e6995f795fb40f86067 |
| SHA512 | 694c402e9314c270a83f33f20ca478367e22de927edded69643e35c3ea968b75f8710549a9c2162a075dde05b8aa5f460fce507b740e12e061f0926eb05d229f |
C:\Users\Admin\AppData\Local\Temp\mournpastoral.dll
| MD5 | db4a7c58c2087a38447e198fb999c0f0 |
| SHA1 | ac9d1a3f574073c050ddb3afdcf6863c553f3579 |
| SHA256 | 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f |
| SHA512 | 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425 |
\Users\Admin\AppData\Local\Temp\mournpastoral.dll
| MD5 | db4a7c58c2087a38447e198fb999c0f0 |
| SHA1 | ac9d1a3f574073c050ddb3afdcf6863c553f3579 |
| SHA256 | 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f |
| SHA512 | 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425 |
memory/1468-5374-0x00000000002A0000-0x00000000002C1000-memory.dmp
memory/1468-5375-0x000000006D7C0000-0x000000006DA77000-memory.dmp
memory/1468-5376-0x00000000002A0000-0x00000000002C1000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win10v2004-20231020-en
Max time kernel
144s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win10v2004-20231023-en
Max time kernel
136s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231023-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231020-en
Max time kernel
90s
Max time network
160s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3944 wrote to memory of 1512 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 3944 wrote to memory of 1512 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1512 wrote to memory of 2376 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1512 wrote to memory of 2376 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1512 wrote to memory of 4900 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1512 wrote to memory of 4900 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1512 wrote to memory of 2000 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 1512 wrote to memory of 2000 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1324819148.js" "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmossified.bat"
C:\Windows\system32\findstr.exe
findstr /V pestcalculator ""C:\Users\Admin\AppData\Local\Temp\\farmossified.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode festivewaggish mournpastoral.dll
C:\Windows\system32\regsvr32.exe
regsvr32 mournpastoral.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\farmossified.bat
| MD5 | 397ff04b5a64bd1f89b92819bb92e086 |
| SHA1 | 94dbafbf953881732757956132c93b52b1940dfe |
| SHA256 | 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a |
| SHA512 | 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67 |
C:\Users\Admin\AppData\Local\Temp\farmossified.bat
| MD5 | 397ff04b5a64bd1f89b92819bb92e086 |
| SHA1 | 94dbafbf953881732757956132c93b52b1940dfe |
| SHA256 | 3bdb2e4bada14fdda4b518959e9375814158b877516d2ff77ec8886a7926e28a |
| SHA512 | 7ed326a43bc2438162a931e9733db98e7beec5372516e1de06dd90b0e9c23b81962b8e83a60fefe8a5c4e620a04148e10e57f8dbb1666b6c9ca951041d17fd67 |
C:\Users\Admin\AppData\Local\Temp\festivewaggish
| MD5 | 341f3b9ea1746dff428bbc568ea0b6f5 |
| SHA1 | d52dd921199ce7d5a95632dfc768bf4aa19c209c |
| SHA256 | 5258b99c488332b011fcb6157de260a9e7fe439e05821e6995f795fb40f86067 |
| SHA512 | 694c402e9314c270a83f33f20ca478367e22de927edded69643e35c3ea968b75f8710549a9c2162a075dde05b8aa5f460fce507b740e12e061f0926eb05d229f |
C:\Users\Admin\AppData\Local\Temp\mournpastoral.dll
| MD5 | db4a7c58c2087a38447e198fb999c0f0 |
| SHA1 | ac9d1a3f574073c050ddb3afdcf6863c553f3579 |
| SHA256 | 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f |
| SHA512 | 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425 |
C:\Users\Admin\AppData\Local\Temp\mournpastoral.dll
| MD5 | db4a7c58c2087a38447e198fb999c0f0 |
| SHA1 | ac9d1a3f574073c050ddb3afdcf6863c553f3579 |
| SHA256 | 5c1508f5353265929def3af0f093bd9580f7589f63b196bce37cf5bcd3073c8f |
| SHA512 | 08ca1c58e709474c9240ff45f2a31f06b6fbc8d8d3f7d1ad6d9983a352717309c86a171dbb07bfcdb21a28c657cf21582c1a630b9604a977f5a34e6222981425 |
memory/2000-5375-0x000000006D7C0000-0x000000006DA77000-memory.dmp
memory/2000-5374-0x0000000000560000-0x0000000000581000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231020-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js" "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat" && "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat"
C:\Windows\system32\findstr.exe
findstr /V dwxhhghdszkwxfyzjjjbfasobxdivpofqrabxdjslzwladvmtu ""C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
C:\Windows\system32\rundll32.exe
rundll32 iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll,x
Network
Files
C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat
| MD5 | c41b0c8acc549b2356e6a0ef252955e8 |
| SHA1 | 21e762814c7fad20f4c40b9c8a96cc5c4e92b096 |
| SHA256 | 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b |
| SHA512 | 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72 |
C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat
| MD5 | c41b0c8acc549b2356e6a0ef252955e8 |
| SHA1 | 21e762814c7fad20f4c40b9c8a96cc5c4e92b096 |
| SHA256 | 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b |
| SHA512 | 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72 |
C:\Users\Admin\AppData\Local\Temp\ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc
| MD5 | bb8e896461540afc2b9c2267f2589536 |
| SHA1 | d53dd7d0fbd78cd40fdacca15c43ddcd87b593f3 |
| SHA256 | 29a79976e3fd2c26fa3f572a5838768375796946ddca4ac0e0c4aef5e2f9b26a |
| SHA512 | 61900661ddc5c5fa2f3236a04884044c13d2ac28511f4bfd61013f9f63811b795187a3bec83d71459db17c553bee8ec81ae82944819aeeada4d43750505a8e34 |
C:\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
| MD5 | eaf3750d024b66e57d731ecd3eb4d6c2 |
| SHA1 | 7f70594c99523d1e25e11424762d7b5f5adc6f43 |
| SHA256 | 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6 |
| SHA512 | 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de |
\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
| MD5 | eaf3750d024b66e57d731ecd3eb4d6c2 |
| SHA1 | 7f70594c99523d1e25e11424762d7b5f5adc6f43 |
| SHA256 | 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6 |
| SHA512 | 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de |
\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
| MD5 | eaf3750d024b66e57d731ecd3eb4d6c2 |
| SHA1 | 7f70594c99523d1e25e11424762d7b5f5adc6f43 |
| SHA256 | 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6 |
| SHA512 | 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de |
\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
| MD5 | eaf3750d024b66e57d731ecd3eb4d6c2 |
| SHA1 | 7f70594c99523d1e25e11424762d7b5f5adc6f43 |
| SHA256 | 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6 |
| SHA512 | 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de |
\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
| MD5 | eaf3750d024b66e57d731ecd3eb4d6c2 |
| SHA1 | 7f70594c99523d1e25e11424762d7b5f5adc6f43 |
| SHA256 | 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6 |
| SHA512 | 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de |
memory/2600-44-0x000000006D7C0000-0x000000006D88E000-memory.dmp
memory/2600-45-0x0000000000100000-0x0000000000121000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231025-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 4972 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4464 wrote to memory of 4972 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4972 wrote to memory of 1268 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4972 wrote to memory of 1268 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4972 wrote to memory of 4132 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4972 wrote to memory of 4132 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4972 wrote to memory of 3112 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 4972 wrote to memory of 3112 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js" "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat" && "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat"
C:\Windows\system32\findstr.exe
findstr /V dwxhhghdszkwxfyzjjjbfasobxdivpofqrabxdjslzwladvmtu ""C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
C:\Windows\system32\rundll32.exe
rundll32 iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll,x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat
| MD5 | c41b0c8acc549b2356e6a0ef252955e8 |
| SHA1 | 21e762814c7fad20f4c40b9c8a96cc5c4e92b096 |
| SHA256 | 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b |
| SHA512 | 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72 |
C:\Users\Admin\AppData\Local\Temp\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat
| MD5 | c41b0c8acc549b2356e6a0ef252955e8 |
| SHA1 | 21e762814c7fad20f4c40b9c8a96cc5c4e92b096 |
| SHA256 | 64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b |
| SHA512 | 7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72 |
C:\Users\Admin\AppData\Local\Temp\ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc
| MD5 | bb8e896461540afc2b9c2267f2589536 |
| SHA1 | d53dd7d0fbd78cd40fdacca15c43ddcd87b593f3 |
| SHA256 | 29a79976e3fd2c26fa3f572a5838768375796946ddca4ac0e0c4aef5e2f9b26a |
| SHA512 | 61900661ddc5c5fa2f3236a04884044c13d2ac28511f4bfd61013f9f63811b795187a3bec83d71459db17c553bee8ec81ae82944819aeeada4d43750505a8e34 |
C:\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
| MD5 | eaf3750d024b66e57d731ecd3eb4d6c2 |
| SHA1 | 7f70594c99523d1e25e11424762d7b5f5adc6f43 |
| SHA256 | 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6 |
| SHA512 | 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de |
C:\Users\Admin\AppData\Local\Temp\iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll
| MD5 | eaf3750d024b66e57d731ecd3eb4d6c2 |
| SHA1 | 7f70594c99523d1e25e11424762d7b5f5adc6f43 |
| SHA256 | 7a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6 |
| SHA512 | 45de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de |
memory/3112-41-0x0000028A30D70000-0x0000028A30D91000-memory.dmp
memory/3112-42-0x000000006D7C0000-0x000000006D88E000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win7-20231023-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231020-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js" "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat" && "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat"
C:\Windows\system32\findstr.exe
findstr /V bashfulspade ""C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode brokenprecede habitualworkable.dll
C:\Windows\system32\regsvr32.exe
regsvr32 habitualworkable.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat
| MD5 | 84132ef0bb6ad44e0f34f0ffee42a5eb |
| SHA1 | c0053fa7d8afbdbcc72ad21bc481e1bbea676216 |
| SHA256 | 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415 |
| SHA512 | 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b |
C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat
| MD5 | 84132ef0bb6ad44e0f34f0ffee42a5eb |
| SHA1 | c0053fa7d8afbdbcc72ad21bc481e1bbea676216 |
| SHA256 | 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415 |
| SHA512 | 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b |
C:\Users\Admin\AppData\Local\Temp\brokenprecede
| MD5 | 22ae5a6ad3c032823b1035182ef6b563 |
| SHA1 | dfe710bfe8c8ca98d2a3c8ec247285d975536c55 |
| SHA256 | 63acc839c86de404d4abba3b4380c1e5377e057589344ac0b19032fd5340c5be |
| SHA512 | 30ae54422334615d38fb9a32d104cf50b658314b37b85159b855b87e3f8fdb822fe1dfa577b5b2b26f487f015694a43a953d8ac9fbf030c364512514717219cd |
C:\Users\Admin\AppData\Local\Temp\habitualworkable.dll
| MD5 | a33c0faac0c19fa9703d78d8bf4d38ed |
| SHA1 | 857acb13ffb952340ba066fbc6194db78b2c7e37 |
| SHA256 | ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b |
| SHA512 | 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf |
\Users\Admin\AppData\Local\Temp\habitualworkable.dll
| MD5 | a33c0faac0c19fa9703d78d8bf4d38ed |
| SHA1 | 857acb13ffb952340ba066fbc6194db78b2c7e37 |
| SHA256 | ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b |
| SHA512 | 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf |
memory/2832-5281-0x0000000000120000-0x0000000000141000-memory.dmp
memory/2832-5282-0x000000006D7C0000-0x000000006DB68000-memory.dmp
memory/2832-5283-0x0000000000120000-0x0000000000141000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231025-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js" "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat" && "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat"
C:\Windows\system32\findstr.exe
findstr /V strangestriped ""C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode upsetbusy womanselection.dll
C:\Windows\system32\regsvr32.exe
regsvr32 womanselection.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat
| MD5 | 327a373e0e25a1c2092382a4afae2e08 |
| SHA1 | 7ddd453a6bf635d46241700a34e51b8dba8f0d6c |
| SHA256 | 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee |
| SHA512 | b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb |
C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat
| MD5 | 327a373e0e25a1c2092382a4afae2e08 |
| SHA1 | 7ddd453a6bf635d46241700a34e51b8dba8f0d6c |
| SHA256 | 35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee |
| SHA512 | b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb |
C:\Users\Admin\AppData\Local\Temp\upsetbusy
| MD5 | f183d3d74b21c168d931f48c372bf431 |
| SHA1 | 864b7511699f642d0f0662be59c6154faf89fa10 |
| SHA256 | e4064513a6c8a3a27453d81903c55ae55f33eae855339473ff1bc5b6969e235e |
| SHA512 | 92db029907e42fd3a236c1860545907c0376aa5f1f68eff6671632271736ea14ec78fc16184317c3d8f990fdcd8d84555d86e92c2291822af66fd96072440311 |
C:\Users\Admin\AppData\Local\Temp\womanselection.dll
| MD5 | 477f1313691864a4176c1666640dcccf |
| SHA1 | 39d05d2753ab358bf284ab43f32502aa11b35976 |
| SHA256 | 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17 |
| SHA512 | d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b |
\Users\Admin\AppData\Local\Temp\womanselection.dll
| MD5 | 477f1313691864a4176c1666640dcccf |
| SHA1 | 39d05d2753ab358bf284ab43f32502aa11b35976 |
| SHA256 | 48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17 |
| SHA512 | d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b |
memory/2656-7995-0x00000000004B0000-0x00000000004D1000-memory.dmp
memory/2656-7996-0x000000006D7C0000-0x000000006DC06000-memory.dmp
memory/2656-7997-0x00000000004B0000-0x00000000004D1000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231020-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js" "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat" && "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat"
C:\Windows\system32\findstr.exe
findstr /V rmoulbhzypessjkwzujxsjanxvefrotukiloadqzppmwujgzdf ""C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
C:\Windows\system32\rundll32.exe
rundll32 xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll,x
Network
Files
C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat
| MD5 | 0ab8b08e9c92bf1405755833d9409a95 |
| SHA1 | 9fbf7143a55c83845815502c413e9eecdd74677e |
| SHA256 | 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607 |
| SHA512 | 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13 |
C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat
| MD5 | 0ab8b08e9c92bf1405755833d9409a95 |
| SHA1 | 9fbf7143a55c83845815502c413e9eecdd74677e |
| SHA256 | 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607 |
| SHA512 | 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13 |
C:\Users\Admin\AppData\Local\Temp\iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi
| MD5 | 333e4540d003b671b0fab4bf108dfcc4 |
| SHA1 | bc3025b87eebd678e622955f6306fd5ce768e94a |
| SHA256 | 177fa2cfda97c4fd97f41b742e0ae0d5742c91d6c31fbce9b276e4b8fe5788f7 |
| SHA512 | f4498a3c1df15c426c381faa1c549549418061539ad4b87b20f7d996af1a7a599ddb36d05f650c28412e07d1d38d348d44afa2a94f604bed16ac5bf858ac988a |
C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
| MD5 | 0a7d89eb1cc9ed86183d6cc08c004ba3 |
| SHA1 | 6a12bbfa326dd92c5118ed07536fb8908ccc4d02 |
| SHA256 | 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8 |
| SHA512 | 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c |
\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
| MD5 | 0a7d89eb1cc9ed86183d6cc08c004ba3 |
| SHA1 | 6a12bbfa326dd92c5118ed07536fb8908ccc4d02 |
| SHA256 | 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8 |
| SHA512 | 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c |
\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
| MD5 | 0a7d89eb1cc9ed86183d6cc08c004ba3 |
| SHA1 | 6a12bbfa326dd92c5118ed07536fb8908ccc4d02 |
| SHA256 | 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8 |
| SHA512 | 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c |
\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
| MD5 | 0a7d89eb1cc9ed86183d6cc08c004ba3 |
| SHA1 | 6a12bbfa326dd92c5118ed07536fb8908ccc4d02 |
| SHA256 | 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8 |
| SHA512 | 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c |
\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
| MD5 | 0a7d89eb1cc9ed86183d6cc08c004ba3 |
| SHA1 | 6a12bbfa326dd92c5118ed07536fb8908ccc4d02 |
| SHA256 | 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8 |
| SHA512 | 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c |
memory/2020-45-0x000000006D7C0000-0x000000006D887000-memory.dmp
memory/2020-44-0x0000000001CC0000-0x0000000001CE1000-memory.dmp
memory/2020-46-0x0000000001CC0000-0x0000000001CE1000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231023-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win7-20231023-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231023-en
Max time kernel
139s
Max time network
154s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1548 wrote to memory of 4980 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1548 wrote to memory of 4980 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4980 wrote to memory of 4116 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4980 wrote to memory of 4116 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4980 wrote to memory of 1784 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4980 wrote to memory of 1784 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4980 wrote to memory of 4956 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 4980 wrote to memory of 4956 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js" "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat" && "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat"
C:\Windows\system32\findstr.exe
findstr /V carelesspart ""C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode spraydevelop tailstitch.dll
C:\Windows\system32\regsvr32.exe
regsvr32 tailstitch.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\mercifullean.bat
| MD5 | 06b78388e5785d4b2933672d4e9ded74 |
| SHA1 | fe7ce04cbcd5de3d4b17034149518c325441b6db |
| SHA256 | 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b |
| SHA512 | 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264 |
C:\Users\Admin\AppData\Local\Temp\mercifullean.bat
| MD5 | 06b78388e5785d4b2933672d4e9ded74 |
| SHA1 | fe7ce04cbcd5de3d4b17034149518c325441b6db |
| SHA256 | 0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b |
| SHA512 | 64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264 |
C:\Users\Admin\AppData\Local\Temp\spraydevelop
| MD5 | 00e6818fc3c6403b9e01ada5c7fa0aad |
| SHA1 | bf9e6b1e58468109abab919553f7101e1a62ee8e |
| SHA256 | e6da9f6b5dd70333dd333c24fdd72e74ea1352fb0fdfa6ed8fa58f3a3afa286a |
| SHA512 | a05060086019d6455d458f79c631bb7d0b868b3bd57e9e2cef702e9ea73cd0c2996133fd7be30bc38c824719293f3ffe063008a1f2f26975efe80d2e749cc5aa |
C:\Users\Admin\AppData\Local\Temp\tailstitch.dll
| MD5 | 11554db63b6bce5e73c385980d5bb0f4 |
| SHA1 | f7b6a42212981b29ce90f9a92b9a83b30772f970 |
| SHA256 | f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b |
| SHA512 | cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982 |
C:\Users\Admin\AppData\Local\Temp\tailstitch.dll
| MD5 | 11554db63b6bce5e73c385980d5bb0f4 |
| SHA1 | f7b6a42212981b29ce90f9a92b9a83b30772f970 |
| SHA256 | f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b |
| SHA512 | cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982 |
memory/4956-9831-0x000000006D7C0000-0x000000006DC24000-memory.dmp
memory/4956-9830-0x0000000000F10000-0x0000000000F31000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231023-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1800 wrote to memory of 2144 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1800 wrote to memory of 2144 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 2144 wrote to memory of 5072 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 2144 wrote to memory of 5072 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 2144 wrote to memory of 2876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 2144 wrote to memory of 2876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 2144 wrote to memory of 4188 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2144 wrote to memory of 4188 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js" "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat" && "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat"
C:\Windows\system32\findstr.exe
findstr /V rmoulbhzypessjkwzujxsjanxvefrotukiloadqzppmwujgzdf ""C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
C:\Windows\system32\rundll32.exe
rundll32 xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll,x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat
| MD5 | 0ab8b08e9c92bf1405755833d9409a95 |
| SHA1 | 9fbf7143a55c83845815502c413e9eecdd74677e |
| SHA256 | 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607 |
| SHA512 | 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13 |
C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat
| MD5 | 0ab8b08e9c92bf1405755833d9409a95 |
| SHA1 | 9fbf7143a55c83845815502c413e9eecdd74677e |
| SHA256 | 1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607 |
| SHA512 | 7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13 |
C:\Users\Admin\AppData\Local\Temp\iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi
| MD5 | 333e4540d003b671b0fab4bf108dfcc4 |
| SHA1 | bc3025b87eebd678e622955f6306fd5ce768e94a |
| SHA256 | 177fa2cfda97c4fd97f41b742e0ae0d5742c91d6c31fbce9b276e4b8fe5788f7 |
| SHA512 | f4498a3c1df15c426c381faa1c549549418061539ad4b87b20f7d996af1a7a599ddb36d05f650c28412e07d1d38d348d44afa2a94f604bed16ac5bf858ac988a |
C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
| MD5 | 0a7d89eb1cc9ed86183d6cc08c004ba3 |
| SHA1 | 6a12bbfa326dd92c5118ed07536fb8908ccc4d02 |
| SHA256 | 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8 |
| SHA512 | 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c |
C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
| MD5 | 0a7d89eb1cc9ed86183d6cc08c004ba3 |
| SHA1 | 6a12bbfa326dd92c5118ed07536fb8908ccc4d02 |
| SHA256 | 73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8 |
| SHA512 | 75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c |
memory/4188-41-0x000001865E120000-0x000001865E141000-memory.dmp
memory/4188-42-0x000000006D7C0000-0x000000006D887000-memory.dmp
memory/4188-43-0x000001865E120000-0x000001865E141000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win10v2004-20231023-en
Max time kernel
137s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win7-20231025-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win7-20231020-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231023-en
Max time kernel
115s
Max time network
154s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4512 wrote to memory of 1772 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4512 wrote to memory of 1772 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1772 wrote to memory of 4852 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1772 wrote to memory of 4852 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1772 wrote to memory of 3032 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1772 wrote to memory of 3032 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1772 wrote to memory of 1948 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 1772 wrote to memory of 1948 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js" "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat" && "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat"
C:\Windows\system32\findstr.exe
findstr /V bashfulspade ""C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode brokenprecede habitualworkable.dll
C:\Windows\system32\regsvr32.exe
regsvr32 habitualworkable.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat
| MD5 | 84132ef0bb6ad44e0f34f0ffee42a5eb |
| SHA1 | c0053fa7d8afbdbcc72ad21bc481e1bbea676216 |
| SHA256 | 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415 |
| SHA512 | 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b |
C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat
| MD5 | 84132ef0bb6ad44e0f34f0ffee42a5eb |
| SHA1 | c0053fa7d8afbdbcc72ad21bc481e1bbea676216 |
| SHA256 | 9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415 |
| SHA512 | 1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b |
C:\Users\Admin\AppData\Local\Temp\brokenprecede
| MD5 | 22ae5a6ad3c032823b1035182ef6b563 |
| SHA1 | dfe710bfe8c8ca98d2a3c8ec247285d975536c55 |
| SHA256 | 63acc839c86de404d4abba3b4380c1e5377e057589344ac0b19032fd5340c5be |
| SHA512 | 30ae54422334615d38fb9a32d104cf50b658314b37b85159b855b87e3f8fdb822fe1dfa577b5b2b26f487f015694a43a953d8ac9fbf030c364512514717219cd |
C:\Users\Admin\AppData\Local\Temp\habitualworkable.dll
| MD5 | a33c0faac0c19fa9703d78d8bf4d38ed |
| SHA1 | 857acb13ffb952340ba066fbc6194db78b2c7e37 |
| SHA256 | ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b |
| SHA512 | 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf |
C:\Users\Admin\AppData\Local\Temp\habitualworkable.dll
| MD5 | a33c0faac0c19fa9703d78d8bf4d38ed |
| SHA1 | 857acb13ffb952340ba066fbc6194db78b2c7e37 |
| SHA256 | ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b |
| SHA512 | 542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf |
memory/1948-5281-0x0000000002500000-0x0000000002521000-memory.dmp
memory/1948-5282-0x000000006D7C0000-0x000000006DB68000-memory.dmp
memory/1948-5283-0x0000000002500000-0x0000000002521000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win7-20231023-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:07
Platform
win10v2004-20231020-en
Max time kernel
129s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-10-27 11:04
Reported
2023-10-27 11:08
Platform
win10v2004-20231023-en
Max time kernel
140s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\12582937793\cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |