Analysis Overview
SHA256
ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116
Threat Level: Known bad
The file ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116 was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-27 10:34
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-27 10:34
Reported
2023-10-27 10:37
Platform
win10v2004-20231023-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-27 10:34
Reported
2023-10-27 10:37
Platform
win7-20231023-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js" "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat" && "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat"
C:\Windows\system32\findstr.exe
findstr /V yvvtruptgthopkwxilzrbnttxkusosxnsktfhipvmptiypaxuf ""C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
C:\Windows\system32\rundll32.exe
rundll32 dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll,x
Network
Files
C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat
| MD5 | 5439e605a33011803acd31ef4f2475cd |
| SHA1 | aeda29b5df8c6c32675a645c89e78cd1cb9263d0 |
| SHA256 | 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98 |
| SHA512 | 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc |
C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat
| MD5 | 5439e605a33011803acd31ef4f2475cd |
| SHA1 | aeda29b5df8c6c32675a645c89e78cd1cb9263d0 |
| SHA256 | 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98 |
| SHA512 | 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc |
C:\Users\Admin\AppData\Local\Temp\wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt
| MD5 | bbc12e812d451b56e262307e517a7a07 |
| SHA1 | d2cc933d7b98dfe76c8806cf7b3727cf208dfecd |
| SHA256 | 6d17a199731628ae7af3c92b5d1f465d494137f1e324deb3efebc768152bc869 |
| SHA512 | 1fde0d39343018877833e6f3121b4513a8d951a30660a91819e74863087e6c13a9fa95bb659ad6fc4d4321017e2721bf9f6f659cc881ff753cdfd53b08e87755 |
C:\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
| MD5 | 1376545af4612c696f527acb2e5de091 |
| SHA1 | 59fdb448fc3169edb06cae100063444df9118397 |
| SHA256 | b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1 |
| SHA512 | ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7 |
\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
| MD5 | 1376545af4612c696f527acb2e5de091 |
| SHA1 | 59fdb448fc3169edb06cae100063444df9118397 |
| SHA256 | b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1 |
| SHA512 | ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7 |
\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
| MD5 | 1376545af4612c696f527acb2e5de091 |
| SHA1 | 59fdb448fc3169edb06cae100063444df9118397 |
| SHA256 | b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1 |
| SHA512 | ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7 |
\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
| MD5 | 1376545af4612c696f527acb2e5de091 |
| SHA1 | 59fdb448fc3169edb06cae100063444df9118397 |
| SHA256 | b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1 |
| SHA512 | ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7 |
\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
| MD5 | 1376545af4612c696f527acb2e5de091 |
| SHA1 | 59fdb448fc3169edb06cae100063444df9118397 |
| SHA256 | b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1 |
| SHA512 | ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7 |
memory/2664-44-0x000000006D7C0000-0x000000006D88D000-memory.dmp
memory/2664-45-0x0000000000100000-0x0000000000121000-memory.dmp
memory/2664-46-0x0000000000100000-0x0000000000121000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-27 10:34
Reported
2023-10-27 10:37
Platform
win10v2004-20231025-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 5084 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 2576 wrote to memory of 5084 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 5084 wrote to memory of 2540 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 5084 wrote to memory of 2540 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 5084 wrote to memory of 2140 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 5084 wrote to memory of 2140 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 5084 wrote to memory of 388 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 5084 wrote to memory of 388 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js" "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat" && "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat"
C:\Windows\system32\findstr.exe
findstr /V yvvtruptgthopkwxilzrbnttxkusosxnsktfhipvmptiypaxuf ""C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
C:\Windows\system32\rundll32.exe
rundll32 dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll,x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat
| MD5 | 5439e605a33011803acd31ef4f2475cd |
| SHA1 | aeda29b5df8c6c32675a645c89e78cd1cb9263d0 |
| SHA256 | 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98 |
| SHA512 | 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc |
C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat
| MD5 | 5439e605a33011803acd31ef4f2475cd |
| SHA1 | aeda29b5df8c6c32675a645c89e78cd1cb9263d0 |
| SHA256 | 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98 |
| SHA512 | 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc |
C:\Users\Admin\AppData\Local\Temp\wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt
| MD5 | bbc12e812d451b56e262307e517a7a07 |
| SHA1 | d2cc933d7b98dfe76c8806cf7b3727cf208dfecd |
| SHA256 | 6d17a199731628ae7af3c92b5d1f465d494137f1e324deb3efebc768152bc869 |
| SHA512 | 1fde0d39343018877833e6f3121b4513a8d951a30660a91819e74863087e6c13a9fa95bb659ad6fc4d4321017e2721bf9f6f659cc881ff753cdfd53b08e87755 |
C:\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
| MD5 | 1376545af4612c696f527acb2e5de091 |
| SHA1 | 59fdb448fc3169edb06cae100063444df9118397 |
| SHA256 | b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1 |
| SHA512 | ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7 |
C:\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
| MD5 | 1376545af4612c696f527acb2e5de091 |
| SHA1 | 59fdb448fc3169edb06cae100063444df9118397 |
| SHA256 | b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1 |
| SHA512 | ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7 |
memory/388-42-0x000000006D7C0000-0x000000006D88D000-memory.dmp
memory/388-41-0x0000026833800000-0x0000026833821000-memory.dmp
memory/388-43-0x0000026833800000-0x0000026833821000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-27 10:34
Reported
2023-10-27 10:37
Platform
win7-20231023-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip