Analysis Overview
SHA256
16dbe515cf6abb556aeec4f89f837af4fb66f8d279dcd05832cc9b9eb9c29d4f
Threat Level: Known bad
The file 6a6c6d9614e572fedbfb8d2eb108bb42.bin was found to be: Known bad.
Malicious Activity Summary
Strela
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 01:21
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 01:21
Reported
2024-02-02 01:24
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1468 wrote to memory of 4888 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1468 wrote to memory of 4888 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4888 wrote to memory of 4944 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4888 wrote to memory of 4944 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4888 wrote to memory of 2596 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4888 wrote to memory of 2596 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4888 wrote to memory of 4716 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 4888 wrote to memory of 4716 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"
C:\Windows\system32\findstr.exe
findstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode shakyinconclusive gatewoman.dll
C:\Windows\system32\rundll32.exe
rundll32 gatewoman.dll,main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\pleasantobject.bat
| MD5 | 6a6c6d9614e572fedbfb8d2eb108bb42 |
| SHA1 | 347b37c4eb1c9d6f6d18d7ec13291436b43bab79 |
| SHA256 | 23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b |
| SHA512 | e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499 |
C:\Users\Admin\shakyinconclusive
| MD5 | 6423b4a456dc34d7c6f67740aaa371fa |
| SHA1 | d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5 |
| SHA256 | 25abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4 |
| SHA512 | 31c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181 |
C:\Users\Admin\gatewoman.dll
| MD5 | d5f35509799fe456a67d41558f1b0f80 |
| SHA1 | c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c |
| SHA256 | ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e |
| SHA512 | a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48 |
memory/4716-1415-0x00007FFA32080000-0x00007FFA3218E000-memory.dmp
memory/4716-1416-0x0000021761160000-0x0000021761183000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 01:21
Reported
2024-02-02 01:24
Platform
win7-20231215-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"
C:\Windows\system32\findstr.exe
findstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode shakyinconclusive gatewoman.dll
C:\Windows\system32\rundll32.exe
rundll32 gatewoman.dll,main
Network
Files
C:\Users\Admin\pleasantobject.bat
| MD5 | 6a6c6d9614e572fedbfb8d2eb108bb42 |
| SHA1 | 347b37c4eb1c9d6f6d18d7ec13291436b43bab79 |
| SHA256 | 23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b |
| SHA512 | e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499 |
C:\Users\Admin\shakyinconclusive
| MD5 | 6423b4a456dc34d7c6f67740aaa371fa |
| SHA1 | d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5 |
| SHA256 | 25abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4 |
| SHA512 | 31c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181 |
C:\Users\Admin\gatewoman.dll
| MD5 | d5f35509799fe456a67d41558f1b0f80 |
| SHA1 | c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c |
| SHA256 | ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e |
| SHA512 | a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48 |
\Users\Admin\gatewoman.dll
| MD5 | d153ed33d30e2ddaf89bf9ee439b07e5 |
| SHA1 | 7d97952ccbaae8ef669464b667e0566a301beb46 |
| SHA256 | 117e67076bf63f47a24099cab489c90003e23989442e57c42c381dbdf460dbe6 |
| SHA512 | e4afff2ac31fff6876b1b7165d2d4aaaa484bb051c02732e66fc2bc12a11bea90eb3135e3f13aec1b91a06deac057ada664f50761a333a95d457a6ffe4af1a2a |
\Users\Admin\gatewoman.dll
| MD5 | 1c0567e97eafda1b89ffef4c07203663 |
| SHA1 | 8999360c907c3b8666560489fff27cb961f6696d |
| SHA256 | b6f49829c861ae5f62fcefb7530216f569a5456a8b6be8b5cbea6034f337471c |
| SHA512 | ed35582dfa1160c1bc1b9a53685f45a83b94567577622bd83037e53e0d4d65ab6703b3a67d72fadb8b4307b65b0f621a8bf72f0b4e6940e74c1a62efa65e766f |
\Users\Admin\gatewoman.dll
| MD5 | 383c9535bc906a81b652350b90fe8943 |
| SHA1 | ac03b4ced15266054e4d7b604629ed7bb5cfdab9 |
| SHA256 | f5a39c00cb381c72986c11668410e2a57b6f1b936236f5cf62480af3fcb41aec |
| SHA512 | 779926622aacb6ad1e93c3c19d9d8ea498546ad83c2e8e5f6f4bdde0304018cb41db0f88bb3c11015fd48dfc3be5b079d1ce100e4d0299cf4c62ba7064ed59f0 |
\Users\Admin\gatewoman.dll
| MD5 | 412ae68a9ced8fb389a7048b5556597c |
| SHA1 | abfdb7330d907734e704b7b06185886a82c1c3ef |
| SHA256 | 27d9881869e2cf3e551ca22189b0f5c59beb890726df478943b5218829eecafb |
| SHA512 | 00ca0b10cdbbc9733604c1a9112202ba7f255aefa4a41e4ba8544951885eb2f4e3d7ca768761c831f6bbc834906162ef2df79f45c9bc2c90e2e12bf978350605 |
memory/1408-1418-0x000007FEF6510000-0x000007FEF661E000-memory.dmp
memory/1408-1419-0x0000000000280000-0x00000000002A3000-memory.dmp