Malware Analysis Report

2025-01-18 09:30

Sample ID 240127-lcrswshch8
Target 64201921222189.js
SHA256 dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d

Threat Level: Known bad

The file 64201921222189.js was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 09:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 09:23

Reported

2024-01-27 09:27

Platform

win7-20231215-en

Max time kernel

117s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2752 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1992 wrote to memory of 2752 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1992 wrote to memory of 2752 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2752 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2752 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2752 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2752 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2752 wrote to memory of 1716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2752 wrote to memory of 1716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2752 wrote to memory of 1716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2752 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1992 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1992 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\64201921222189.js" "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat" && "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat"

C:\Windows\hh.exe

Hh /////0SLhCTAFwEAQYHw/////0UhxkQJ8YPx/0GD9f9Ei4QkwBcBAEGB8CYC/rVECelBgcgmAv61g/H/RCHBQYnoQYPw/0GB4P////+LnCTAFwEAgfP/////Id1BCehEifuD8/+B4/////+LrCTAFwEAgfX/////QSHvRAn7i6wkwBcBAIH1sgLiR4Hl4gDPg0SLtCTAFwEAQYH24gDPg0WJ90GB57IC4kdEi6QkwBcBAEGB9P////9BgeTiAM+DQYHm/////0QJ/UUJ9EQx5UWJxkEh3kEx2EUJxkSLhCTAFwEAQYHwsgLiR4nrg/P/RIu8JMAXAQBBgffyzmauRYnEQYHk8s5mrkWJ/UGB5bIC4keJ34Hn8s5mrkQh/UUJ7AnvQTH8QQnYQYPw/0GBz/LOZq5FIfhFCcRFifBBg/D/QYHg/////4u8JMAXAQCB9/////9BIf5FCfBBg/T/RInHRDHnRCHHRIuEJPwWAQBBg/D/QYHgKdR/k4ucJMAXAQCB8yn

C:\Windows\hh.exe

Hh /////0SLjCTAFwEAQYHx/////0UhzkQJ8USLjCTAFwEAQYHx/////4nPRCHPg/H/geH/////Cc+D9/+LjCTAFwEAgfH/////RIuMJMAXAQBBgfGKzaJNCc9BgcmKzaJNg/f/RCHPRInZg/H/QYnxQTHJQSHxifGD8f+B4bmJFW2LrCTAFwEAgfW5iRVtIe5Fid5Bg/b/QYHmuYkVbUEh6wnxRQneRDHxRYnLQSHLQTHJRQnLidmD8f9BiflBg/H/i7QkwBcBAIH2DfwiyUQJyYHODfwiyYPx/yHxQYnZQYPx/0GB4ULKlCGLtCTAFwEAgfZCypQhIfOJ/YP1/4HlQsqUISH3QQnZCf1BMemJzoP2/0SJz4P3/4ucJMAXAQCB8xLrs5KJ9YHlEuuzkiHZQYn+QYHmEuuzkkEh2QnNRQnORDH1Cf6D9v+ByxLrs5Ih3gn1RInZg/H/geH/////RIuMJMAXAQBBgfH/////RIneRCHOCfGD8f+B8R5gZpeB4R5gZpd

C:\Windows\hh.exe

Hh /////0SLhCSQ3QAAQYHw/////0SLtCRIwgAARSHGRAnxQYP1/0GJyEUx6EEhyInpg/H/geF5UIAvRIu0JJDdAABBgfZ5UIAvQYnsRSH0RIusJJDdAABBgfX/////QYHleVCAL0GB5v////9ECeFFCfVEMemD8f+B8ec6f+qB4ec6f+pEi7QkkN0AAEGB9uc6f+pBgeb/////RIukJJDdAABBgfT/////QYHk5zp/6kUJ5oP1/0WJ9EGD9P9Ei6wkkN0AAEGB9YcUyMNECeVBgc2HFMjDg/X/RCHtQYn0QYP0/0GB5BGBP/VEi6wkkN0AAEGB9RGBP/VBifJFIeqJjCREwgAAi4wkkN0AAIHx/////4HhEYE/9UGB5f////9FCdRECelBMcxBg/T/i4wkkN0AAIHx5zp/6kSLlCSQ3QAAQYHyFATckUEJzEGByhQE3JFBg/T/RSHUg/b/QYP2/4uMJJDdAACB8V+qNLFECfaByV+qNLGD9v8hzouMJETCAACD8f9

C:\Windows\hh.exe

Hh /////0wJ8E0Jykwx0EmB9P////9INf////9JuPQG2zsj3lHVTIuMJNCtAABNMcFJCcRNCcFJgfT/////TSHMSInISDX/////TYngSYHw/////0m5J2yymf1tFFNMi5Qk0K0AAE0xykiJw0why0wh0U2Jxk0hzk0h1EgJy00J5kwx80wJwEg1/////00Jykwh0EgJw0iJ8Eg1/////0i5L3D5LXLDYQBIIchMi4Qk0K0AAEkxyEmJ8U0hwUyLlCTQrQAASYHy/////0khykmB4P////9MCchNCcJMMdBINf////9IubQ8Vgql6K3TSDHISCHITIuEJNCtAABJMchJub/TSse3cXqsTSHITIuUJNCtAABNMcpNidZJIc5Mi7wk0K0AAEmB9/////9NIc9JgeL/////TQnwTQnXTTH4SYnxSYHx/////02JwkmB8v////9JvsAGDgjDusLkTIu8JNCtAABNMfdNCdFNCfdJgfH/////TSH5TIuUJNCtAABJgfL////

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\StopProtect.vbe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\StopProtect.vbe"

C:\Windows\system32\findstr.exe

findstr /V pokeskip ""C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode merezephyr seemlyvegetable.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 seemlyvegetable.dll,m

C:\Windows\system32\rundll32.exe

rundll32 seemlyvegetable.dll,m

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\geeserecord.bat

MD5 9ad0dc56c7f7492b4555812c774fe3d6
SHA1 4b18214b4b08864f0073f56d098e2b4f0f1997ec
SHA256 dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d
SHA512 01195cd51e6e47026d12b1c07c235704abe3e953e518ae14d0bcde6ee724667d318420d5e1b4e0784fcd52a388fd44046a44eacca017cd7e2da7e15d561707d2

memory/600-186-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

memory/1564-2626-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\errorPageStrings[2]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

memory/2096-8660-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\merezephyr

MD5 a0c8c19362df1bd5d90bb4b055935992
SHA1 a5f6aafa96b5c0dd85d9f6ed8c2192febdee1b71
SHA256 0f03c75d4e91d78c504977856a8f6320e1742e52aaf83967a9bc6193218c408b
SHA512 61e87193de5613990ebb87a2e76b10149bccfe9055cc71cd13b9f8c70822bea09be011a5d1a22cc5b08ad26aa32beb3433f1fe34c6224dbce1af252e33003878

C:\Users\Admin\AppData\Local\Temp\seemlyvegetable.dll

MD5 ea54ab5eea76e4481dda3ccb96c1afbf
SHA1 403fba15b57edd61049d58dd2ce834c758663169
SHA256 1941291021f094ca1bf945637320c446d4fd2a80db9a44f127528ad521163e8d
SHA512 19e4af52104639212ece742304005734a5d2be5a5204217b8464a4d3b9bc1222febf093b5425cf10c9be0d05458257ee3b9c5a16caa1a0e0812d34d080087a35

\Users\Admin\AppData\Local\Temp\seemlyvegetable.dll

MD5 ee0c3b7659ffba9c02a7d05dd53f1215
SHA1 7105afbf492cf6fffcd18bec16b59f2f3e24d260
SHA256 142994f123a1238d2387d00a58b709b2a07429cf1d024f65f97279afa01dfc74
SHA512 57f6d26b226f99d459e1de57ea7c72480cd316267095c615e564db190a053daa82338bf66ffdbd463d5e39ef2057667d2f23bc42ee5a4abe7bcc0679bbfeb319

memory/2972-12889-0x0000000001BE0000-0x0000000001C03000-memory.dmp

memory/2972-12888-0x000007FEF59F0000-0x000007FEF5EB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 09:23

Reported

2024-01-27 09:27

Platform

win10-20231215-en

Max time kernel

190s

Max time network

192s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

Signatures

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 1420 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4292 wrote to memory of 1420 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1420 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 1420 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\64201921222189.js" "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat" && "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat"

C:\Windows\hh.exe

Hh /////0SLhCTAFwEAQYHw/////0UhxkQJ8YPx/0GD9f9Ei4QkwBcBAEGB8CYC/rVECelBgcgmAv61g/H/RCHBQYnoQYPw/0GB4P////+LnCTAFwEAgfP/////Id1BCehEifuD8/+B4/////+LrCTAFwEAgfX/////QSHvRAn7i6wkwBcBAIH1sgLiR4Hl4gDPg0SLtCTAFwEAQYH24gDPg0WJ90GB57IC4kdEi6QkwBcBAEGB9P////9BgeTiAM+DQYHm/////0QJ/UUJ9EQx5UWJxkEh3kEx2EUJxkSLhCTAFwEAQYHwsgLiR4nrg/P/RIu8JMAXAQBBgffyzmauRYnEQYHk8s5mrkWJ/UGB5bIC4keJ34Hn8s5mrkQh/UUJ7AnvQTH8QQnYQYPw/0GBz/LOZq5FIfhFCcRFifBBg/D/QYHg/////4u8JMAXAQCB9/////9BIf5FCfBBg/T/RInHRDHnRCHHRIuEJPwWAQBBg/D/QYHgKdR/k4ucJMAXAQCB8yn

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\geeserecord.bat

MD5 34a22ea77357fa86dd4fece5ce6080d0
SHA1 e463ce098d16c5849e5f369bb1cf1e8e68ca79e5
SHA256 ee067c8a1b433cf171074a594bd53bcbb23b06ab72b140b0c1d7052f1d6f48c1
SHA512 266d2d153908abdf07b484c3fad9237dd7b6851501c31e59bd6b0c2e3249d2091dd506588456797dbfe1676197479cca0498ae8cbba4944f44767494da38a751

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-27 09:23

Reported

2024-01-27 09:27

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

197s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 2900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1832 wrote to memory of 2900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2900 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\64201921222189.js" "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat" && "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat"

C:\Windows\hh.exe

Hh /////0SLhCTAFwEAQYHw/////0UhxkQJ8YPx/0GD9f9Ei4QkwBcBAEGB8CYC/rVECelBgcgmAv61g/H/RCHBQYnoQYPw/0GB4P////+LnCTAFwEAgfP/////Id1BCehEifuD8/+B4/////+LrCTAFwEAgfX/////QSHvRAn7i6wkwBcBAIH1sgLiR4Hl4gDPg0SLtCTAFwEAQYH24gDPg0WJ90GB57IC4kdEi6QkwBcBAEGB9P////9BgeTiAM+DQYHm/////0QJ/UUJ9EQx5UWJxkEh3kEx2EUJxkSLhCTAFwEAQYHwsgLiR4nrg/P/RIu8JMAXAQBBgffyzmauRYnEQYHk8s5mrkWJ/UGB5bIC4keJ34Hn8s5mrkQh/UUJ7AnvQTH8QQnYQYPw/0GBz/LOZq5FIfhFCcRFifBBg/D/QYHg/////4u8JMAXAQCB9/////9BIf5FCfBBg/T/RInHRDHnRCHHRIuEJPwWAQBBg/D/QYHgKdR/k4ucJMAXAQCB8yn

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\geeserecord.bat

MD5 9ad0dc56c7f7492b4555812c774fe3d6
SHA1 4b18214b4b08864f0073f56d098e2b4f0f1997ec
SHA256 dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d
SHA512 01195cd51e6e47026d12b1c07c235704abe3e953e518ae14d0bcde6ee724667d318420d5e1b4e0784fcd52a388fd44046a44eacca017cd7e2da7e15d561707d2

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-27 09:23

Reported

2024-01-27 09:27

Platform

win11-20231222-en

Max time kernel

203s

Max time network

196s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

Signatures

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2000 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2104 wrote to memory of 2000 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 3060 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe
PID 2000 wrote to memory of 3060 N/A C:\Windows\System32\cmd.exe C:\Windows\hh.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\64201921222189.js" "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat" && "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat"

C:\Windows\hh.exe

Hh /////0SLhCTAFwEAQYHw/////0UhxkQJ8YPx/0GD9f9Ei4QkwBcBAEGB8CYC/rVECelBgcgmAv61g/H/RCHBQYnoQYPw/0GB4P////+LnCTAFwEAgfP/////Id1BCehEifuD8/+B4/////+LrCTAFwEAgfX/////QSHvRAn7i6wkwBcBAIH1sgLiR4Hl4gDPg0SLtCTAFwEAQYH24gDPg0WJ90GB57IC4kdEi6QkwBcBAEGB9P////9BgeTiAM+DQYHm/////0QJ/UUJ9EQx5UWJxkEh3kEx2EUJxkSLhCTAFwEAQYHwsgLiR4nrg/P/RIu8JMAXAQBBgffyzmauRYnEQYHk8s5mrkWJ/UGB5bIC4keJ34Hn8s5mrkQh/UUJ7AnvQTH8QQnYQYPw/0GBz/LOZq5FIfhFCcRFifBBg/D/QYHg/////4u8JMAXAQCB9/////9BIf5FCfBBg/T/RInHRDHnRCHHRIuEJPwWAQBBg/D/QYHgKdR/k4ucJMAXAQCB8yn

Network

Files

C:\Users\Admin\AppData\Local\Temp\geeserecord.bat

MD5 9ad0dc56c7f7492b4555812c774fe3d6
SHA1 4b18214b4b08864f0073f56d098e2b4f0f1997ec
SHA256 dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d
SHA512 01195cd51e6e47026d12b1c07c235704abe3e953e518ae14d0bcde6ee724667d318420d5e1b4e0784fcd52a388fd44046a44eacca017cd7e2da7e15d561707d2