Analysis Overview
SHA256
cf5f5b0a1d18d969ed91d3c5b3c43b043da5f753ac7e6d584cea2805be6fc283
Threat Level: Known bad
The file quisisana-ag.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 14:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 14:52
Reported
2024-02-02 14:54
Platform
win7-20231215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"
C:\Windows\system32\findstr.exe
findstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode insidiouswall ladybugwork.dll
C:\Windows\system32\rundll32.exe
rundll32 ladybugwork.dll,main
Network
Files
C:\Users\Admin\vaguetongue.bat
| MD5 | c587f03e38a7ca5ac023ef8745264eb4 |
| SHA1 | a01598d9c8812f2609f0a868c8e44a81ad3c0685 |
| SHA256 | 1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a |
| SHA512 | e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816 |
C:\Users\Admin\vaguetongue.bat
| MD5 | 23bec89b6b4e73b890e6373139e1b510 |
| SHA1 | d84d91af2f42c977b61a6ee5a5ff5c825abbb5fa |
| SHA256 | 0b172321d9251d2348df4291672ee7307e7c97100072bd9e765cce99bb13127c |
| SHA512 | 31e54378d606ecbc46b6f7caba9c7bb6b2914180a2e254bc88e5aa2587b815ec3a372eb779072f79c8a2174240512272eabf60a7abf3ba11c9e8445bb25c5dda |
C:\Users\Admin\insidiouswall
| MD5 | 20d4ef96f2f9caa7370ff1ad48c45fec |
| SHA1 | 3e0050926e1053b98ec31f4cbf605fc4a4f6f649 |
| SHA256 | c156b77e4b3ab8420ed28b9ef833a9f5347599b8105f437cf528eb8a5b94cc61 |
| SHA512 | 61926516dbb1074fc3d4440113c90d4648cd68df51b8b78cce512aca10824638c3df7aa3fde3dd03e17a4327043ee65feba2c94829e1a4ab9248a4b0f8986ea5 |
C:\Users\Admin\ladybugwork.dll
| MD5 | 890552c641f835a3c95cff37c723dd03 |
| SHA1 | 091e988bc7a0964f0f4f5713963a2c10dd55eb69 |
| SHA256 | 74dba4602420500949cc29d49b1a3a4c2eda117a57e8b381e160ea776e0a7aca |
| SHA512 | ae91a294130995e928e4a70be92cb805d37c6f7cf8cd243c559d76592d3c10d43be9175a42274a0cfd22ae9fe0da7f37a6402e19ca2e68475a0ba2fe658843fd |
\Users\Admin\ladybugwork.dll
| MD5 | 38a8e89fa048a9e16da38ed856b0de7a |
| SHA1 | 1d10e416ad37270b52a9fea220b14b83a478b510 |
| SHA256 | 1fd09bae3d70c44ae72babbe071c0ef0b1553bb807b20e8b625802e5a7e9bad1 |
| SHA512 | ba7da3fa6f804e1f743aadf199d838136acf3458ba774b7590f04925b2c0b3161dc7693db0e1ffba25f8486da27897c8414d48b0a8747c393eb7c3811acfe711 |
\Users\Admin\ladybugwork.dll
| MD5 | 325026c11fbe6981a88e05ef236fbb60 |
| SHA1 | 8ec4f01340d6810b0f2b58f0854892f0a14db606 |
| SHA256 | 17b6adf1b6e29a589bff2bed3b4288cf3edcda6f84a131377c8c64e942323c53 |
| SHA512 | 72be7001376f9c47a70b7f32bb7cbce08f94296f296a715968e15683a2a13108980f074afab0bd9b7e245da3ba604a89cb3a0160349b433b2d9ac857e0d0552f |
\Users\Admin\ladybugwork.dll
| MD5 | 2576ea62768fb301fe7db961e005ee21 |
| SHA1 | e985dd24f96fa26b803dbc573465820007bfe304 |
| SHA256 | ca2f8f9266aefefad9b32479aca3acf74a814b4670daf6ffe8e6c305fdd1f203 |
| SHA512 | 574ec796787e8eb5466c542cfa886115ebf24a802feefbb38e1eea49a07acd49b87fd202862bc139472a1fe35089475a00541d9c083c029d3eb0459537773bb9 |
\Users\Admin\ladybugwork.dll
| MD5 | 9a1a23f5933c216e489a7f70aaf59b3d |
| SHA1 | 850542e45108caed0785f3b97e98ec12c176c685 |
| SHA256 | 20175eaff3959a9e83350e9086cf9d892344b52ec88606c5be74103be1eef793 |
| SHA512 | 94154a9019f912062fe541cee7ac3847ef0c3da3db9dd58bc52f2ca443e78e9d2058da1c87b1e03e996862423f4025053ac2d46bbfdc90b16e7f6dc0ae24974b |
memory/2832-2009-0x0000000000110000-0x0000000000133000-memory.dmp
memory/2832-2008-0x000007FEF5A30000-0x000007FEF5BA2000-memory.dmp
memory/2832-2010-0x0000000000110000-0x0000000000133000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 14:52
Reported
2024-02-02 14:54
Platform
win10v2004-20231215-en
Max time kernel
129s
Max time network
150s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1096 wrote to memory of 1764 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1096 wrote to memory of 1764 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1764 wrote to memory of 3268 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1764 wrote to memory of 3268 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1764 wrote to memory of 4360 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1764 wrote to memory of 4360 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1764 wrote to memory of 3196 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1764 wrote to memory of 3196 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"
C:\Windows\system32\findstr.exe
findstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode insidiouswall ladybugwork.dll
C:\Windows\system32\rundll32.exe
rundll32 ladybugwork.dll,main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\vaguetongue.bat
| MD5 | c587f03e38a7ca5ac023ef8745264eb4 |
| SHA1 | a01598d9c8812f2609f0a868c8e44a81ad3c0685 |
| SHA256 | 1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a |
| SHA512 | e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816 |
C:\Users\Admin\insidiouswall
| MD5 | 73c7a5a0060662b6d39adb4933d83d7e |
| SHA1 | 97c0a2102a6398047b0256316f235279e74afe3d |
| SHA256 | dfd5b00748f07ce813bbf47c4128912ed5517b1e9fd1a1d6f5eeb6c4e2e751b5 |
| SHA512 | 629b6439e44a4ba8dc502228ca269a8e9e8b7ea9b7459b2565c467d0ed059db8cf0f58f25d7cd7c4892cae52c8c52f87c818e4cd36235d7c648d5b27cb450084 |
C:\Users\Admin\ladybugwork.dll
| MD5 | 172a0cf1298ee04df575d6fd591ec63c |
| SHA1 | 29fab1e4477846d226c7e81994958137992a6aed |
| SHA256 | f7df69f6ccb0e06757846ef8e5d4e02026757981b3cdcc7dcf4fd1598c24222c |
| SHA512 | 6cc1740825c4da4d3623dd982613c7581410d007d37ac76277683592f562e080101cd1eee40a1b96fd86683b5db887452596fd87e413c6c6570dcac9113dfae8 |
C:\Users\Admin\ladybugwork.dll
| MD5 | 6dcd37226bb68e40f5b6e58361bb0210 |
| SHA1 | bb2a47f726aa56a658822ce575b5363f5257047f |
| SHA256 | 639e341b9fc9d256a502d91b784798e09c77fabe6347567a8bbff9c0819c9037 |
| SHA512 | 203ee3765f0073ae0d246cb0c4b6eab7d9d989a6487baef91bf8e52d57ee1d033564b0fee519612178e6343f3e1884bc16f959f2ea967b317cafba0048febf7f |
memory/3196-2006-0x000001DA86B00000-0x000001DA86B23000-memory.dmp
memory/3196-2005-0x00007FFF3C0F0000-0x00007FFF3C262000-memory.dmp
memory/3196-2007-0x000001DA86B00000-0x000001DA86B23000-memory.dmp