Analysis Overview
SHA256
46c6bedc6f4bfdfae1c0ae378ca649c115187c722e7786002b180ced07135a7d
Threat Level: Known bad
The file quisisana-ag.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 12:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 12:27
Reported
2024-01-26 12:30
Platform
win7-20231215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"
C:\Windows\system32\findstr.exe
findstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode tinsoak heapswim.dll
C:\Windows\system32\rundll32.exe
rundll32 heapswim.dll,m
C:\Windows\system32\cmd.exe
cmd /c rundll32 heapswim.dll,m
Network
Files
C:\Users\Admin\AppData\Local\Temp\suspectfeeble.bat
| MD5 | e142b6e92af05edd784ecea426ea62ae |
| SHA1 | 4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e |
| SHA256 | 4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322 |
| SHA512 | a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3 |
C:\Users\Admin\AppData\Local\Temp\tinsoak
| MD5 | 696299aca72ee3192632033a0ddc3a8c |
| SHA1 | f584645bef95dbbcb0bcb5373fa2994333065fb0 |
| SHA256 | 600865ff3dff1938f2ac6d007e75b7e63b3f786eb0f5d17ec824c00ee44e70fa |
| SHA512 | 33a2144fb0dcd2b6d33065cb63650e7d6a67ff7473549d79cc26d1fa3e6a35262e4a2dd7f08ad1b2e7fe619768af1aef46625c2f2810e8c82cec09eca6ea5e2a |
\Users\Admin\AppData\Local\Temp\heapswim.dll
| MD5 | 5ddd27670ad2f96f60f647fb11a40144 |
| SHA1 | 3ac045fc6232695d50be3f53851fd7e99e5acc7c |
| SHA256 | 224bd873f90ae81f72370091401fc6b5e696073858337b2ebaf545f71aea5e0a |
| SHA512 | 3de20a736326e6ebddda839d28deaff53ec7ebf1dd0e91349fd6880e4a946ab2ac4ce1f6ea39cd08b5f35c8361a91851afa1be344bb92e73048778286246a9ca |
\Users\Admin\AppData\Local\Temp\heapswim.dll
| MD5 | 062b9f193bad0d4ec3629e8267cc4fcf |
| SHA1 | a90705eb7d8777b8790a5075ec7dea38137558e2 |
| SHA256 | 92c95056a5785ba6b3d328e1b361053d2e57e7d8842a7b2f37ba0a71e58af12c |
| SHA512 | 67b651a04c8ed3139c8fe3d50c6ea7160dcf530d38d7d973fec33350166989133a1b6c854b953c4c052049610307acedb5fefac17dbc9c5f02cfc79bedb51d31 |
\Users\Admin\AppData\Local\Temp\heapswim.dll
| MD5 | 289cebd06358f2da993852c7d113dfd3 |
| SHA1 | d3e7cf03a69846104c6d2cddd50620cb56d7c001 |
| SHA256 | 4d249b0e6c8ef4e3fd4e9de3458d9e4d50566aa660797418aa5e2b06dd9f2ba2 |
| SHA512 | 85e40b742937c5d6f8a3e8ebdb080a5a31bc4f4235b3a7ed4d9b2053e89be79988a3bd5eefbb6bcc3e2f345a5b284e1830832a48e1e7d7d3c6aad9e0b1db8fdc |
\Users\Admin\AppData\Local\Temp\heapswim.dll
| MD5 | 9416e6675854a25cd39e3fc0b1276651 |
| SHA1 | b8b9abcfeb6da90f0232feb1a3852741639a937e |
| SHA256 | fd683f8c3e8ca5b3f78a9175f7deb61b6c4ebcd3d3ac0cb199f8b53f3dfe8d87 |
| SHA512 | b1f1ebd36df70db8b57f4906e604a5947c1bc8f554c9d5b789d78414f6dfbcc0b9847a0ec95fce4ada188ca18b0202a2340b47e4dc626d20ee934c91a13f7eea |
C:\Users\Admin\AppData\Local\Temp\heapswim.dll
| MD5 | dd76999007aa8afa4f8e690bdb5111ac |
| SHA1 | 49c22b414e983d073c684830b3a3bbbdf1f9f14a |
| SHA256 | 6f60d359d59b31d01bbf061837683fa0463c89bc7479950f2d1ce04bf8b77599 |
| SHA512 | 4f5f559178781d8d95bf10e67c485f3232b5612d732d0d4d4e01368b9662abe0cf72e96895ffbd77215c17a0264a979843e52d10f158b110b75cf819a7a17de7 |
memory/1004-1385-0x0000000000390000-0x00000000003B3000-memory.dmp
memory/1004-1384-0x000007FEF6F50000-0x000007FEF7009000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 12:27
Reported
2024-01-26 12:30
Platform
win10v2004-20231215-en
Max time kernel
135s
Max time network
144s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"
C:\Windows\system32\findstr.exe
findstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode tinsoak heapswim.dll
C:\Windows\system32\cmd.exe
cmd /c rundll32 heapswim.dll,m
C:\Windows\system32\rundll32.exe
rundll32 heapswim.dll,m
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\suspectfeeble.bat
| MD5 | e142b6e92af05edd784ecea426ea62ae |
| SHA1 | 4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e |
| SHA256 | 4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322 |
| SHA512 | a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3 |
C:\Users\Admin\AppData\Local\Temp\tinsoak
| MD5 | 9ed413fb2d65047ce18bdd9bd2d738a7 |
| SHA1 | dbcdb9612ac5c51f3940f0e28377e749153beb72 |
| SHA256 | cbb12b164a282becaae013b43a7b948bf3e9a913340cc35dd0d915720bfde909 |
| SHA512 | 403d48fd20c2d0e807064af5acf978a7329833229700f18b7f170b313853f8a345782a2541817c945742f7752b38a848c4230298f1bf4920dfcaa859a8f4ded9 |
C:\Users\Admin\AppData\Local\Temp\heapswim.dll
| MD5 | e369903ea87d49ddf23c1682a5e8d01e |
| SHA1 | 0b50b560770cf44c8d95286d7d67fa27871f7d1a |
| SHA256 | 80a58fc6fc8ce8929996f6cd56b97cb729cf8bfe2b07c02b112b6b6d96f02423 |
| SHA512 | 359dd3a3c2341c5f0fd5c60538bf0c10f8efbf818376a2f049bc2f9f5c5fe9c9d9d2077da115e28ea9b0fa69961df68eaa667fd220402b9eb4eb679969df2a09 |
memory/4548-1381-0x00007FFDEF0B0000-0x00007FFDEF169000-memory.dmp
memory/4548-1382-0x00000209FFA40000-0x00000209FFA63000-memory.dmp