Analysis Overview
SHA256
e8caf52bbaedb485fcfe0a3b3e9aa5cc5ae3bec03f1d348c5b15075d4e67ea9a
Threat Level: Known bad
The file 04022024_2303_02022024_tshirtstore.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 15:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 15:03
Reported
2024-02-04 15:06
Platform
win7-20231215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js" "C:\Users\Admin\\womanlypoor.bat" && "C:\Users\Admin\\womanlypoor.bat"
C:\Windows\system32\findstr.exe
findstr /V mellowfemale ""C:\Users\Admin\\womanlypoor.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode comfortablesteer scorchapparatus.dll
C:\Windows\system32\rundll32.exe
rundll32 scorchapparatus.dll,main
Network
Files
C:\Users\Admin\womanlypoor.bat
| MD5 | 5691f001d9a83639c5f6fed3e999e090 |
| SHA1 | 2ba3ef2e2cca6dfdf154b0565901b4da5833cab9 |
| SHA256 | 7780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e |
| SHA512 | 9a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65 |
C:\Users\Admin\womanlypoor.bat
| MD5 | 86feb3958edd3359028fb58fb342b956 |
| SHA1 | 7cdc2415951d668cc81a2145ccd16e8ca9bb625f |
| SHA256 | cc361c51487d162c04329d6d4bcffc0d3b2e0f2d5bb17ff41c7ac59dfd81cf17 |
| SHA512 | 94d801679279f385193b880c7f7466c1653ee073a9e164fe727e9b88d07408161c4a097c891d123932fdcec2dbc2205a8787384face85e585fda483498d210aa |
C:\Users\Admin\comfortablesteer
| MD5 | 85c5984b1c3e85af87341c9849e6e414 |
| SHA1 | f290180076dcaba1dbfa649e359f479ca68bc2db |
| SHA256 | 886c894b9f537531ac52bab36464ae8f5bb3358a89984a3f02fddc6b7445b306 |
| SHA512 | f11e3405b58a935d30a0395c758ade37c641419bc5b443daedba769f31e3e688c0235a41309d1e0e321d7d79c0176493e47f9d9991eb947e0a4d84fef069d165 |
\Users\Admin\scorchapparatus.dll
| MD5 | 32fe5e6e9827b4e8286f876360a41959 |
| SHA1 | 1b23dcc78e51b7c87d634a4ceee61d92180ac769 |
| SHA256 | ef54d38aa8a68214d5d9f2ea9a20e3d877f9be8d94bfb36f01dc9c38bcc3a708 |
| SHA512 | 65a6babc7f57bf139d61c4834abc8d6d23a4969b1086a86a8e250d783304838225a32301b4166bc1dcd23086a66d514e1ee316ce25d504f85c03d2a7713d50de |
\Users\Admin\scorchapparatus.dll
| MD5 | c5c1b3015e1feb0176b3123d0ab80e02 |
| SHA1 | e57b5efbf81602105a582f82bf250cc8ebdbba58 |
| SHA256 | f325fa4313c0db43df400fba1a99c129dd3d46ce3ac94cffba04f1703096e7fe |
| SHA512 | a76d1a9254a77428f87b59a5ce5f71a39ddd8b61a7e54ff65211cd5fd6510c33433f085bba35a0d154005fb8dafb63ef513a56674540c7b1bc063915aa1e0ebb |
\Users\Admin\scorchapparatus.dll
| MD5 | d9efaa2e2292c8255074099bc4db605a |
| SHA1 | 584464ab51dd13b5942e405d94f95edc0cc224ec |
| SHA256 | 1e36b0d2a4cf63f7729700d16cec4478fef537a0ebdb4b30e6634db8ae651385 |
| SHA512 | c380b9ef68154b28b8e806e8a84b55414057621a5fcaf13f4d5a957eb7f235afb17b565e70640bf8d5c67f6a69d411aa32a76c97a551ae88c69d8ea682635ca1 |
\Users\Admin\scorchapparatus.dll
| MD5 | c8fd979ac8a4fa4d9c48896b5cdb8c98 |
| SHA1 | 7a0112c6e52ab0ce87e056a7039eaafb6729de5b |
| SHA256 | 1a5e43ce2aa335d0819a04fe9fc3f0e030bcb6266826785cecdff0b1fc47b238 |
| SHA512 | 5ff9a29ea3586473283008918d1f17040e6b7f12872bb8012e795518f15d6c8d49c7dff43074ab633598d4e917773ae2fd8ea371ef2b009cf2b2874bc40af44c |
C:\Users\Admin\scorchapparatus.dll
| MD5 | 66ab7d46797406c3e66099d060e7ba6f |
| SHA1 | 329a7eecefbd5f5f138a7ca51593fcb81467d928 |
| SHA256 | fa67fcbf0cc99749ce84cc5730f81304c2f8042b6e1ae13fb47fe0b535310a00 |
| SHA512 | 81488283aadb5ad93569ae78da3094ded001087df76b22fa744d5c10acff465d83e5222128546fa46fe6c2616ee60a8f345d7bd7c5c939a165b3f798b9df4d3e |
memory/2072-1779-0x000007FEF68D0000-0x000007FEF6A1A000-memory.dmp
memory/2072-1780-0x0000000000680000-0x00000000006A3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 15:03
Reported
2024-02-04 15:06
Platform
win10v2004-20231215-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3216 wrote to memory of 1300 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 3216 wrote to memory of 1300 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1300 wrote to memory of 2096 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1300 wrote to memory of 2096 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 1300 wrote to memory of 5032 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1300 wrote to memory of 5032 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 1300 wrote to memory of 5036 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1300 wrote to memory of 5036 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js" "C:\Users\Admin\\womanlypoor.bat" && "C:\Users\Admin\\womanlypoor.bat"
C:\Windows\system32\findstr.exe
findstr /V mellowfemale ""C:\Users\Admin\\womanlypoor.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode comfortablesteer scorchapparatus.dll
C:\Windows\system32\rundll32.exe
rundll32 scorchapparatus.dll,main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\womanlypoor.bat
| MD5 | 5691f001d9a83639c5f6fed3e999e090 |
| SHA1 | 2ba3ef2e2cca6dfdf154b0565901b4da5833cab9 |
| SHA256 | 7780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e |
| SHA512 | 9a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65 |
C:\Users\Admin\comfortablesteer
| MD5 | 7a91573a5cb5b3d5e556a73b941e7a61 |
| SHA1 | a5706eda70203aa7c94cf5b64ef85fdaed911042 |
| SHA256 | 6a77f1e14cdd5f82663142d6fe336352214711430ab2cc927400478bd0bb3a0c |
| SHA512 | d2ec3667f14e89966ef1f7fc8b84d4e9832a1ed97c610de7a076d3ba9bb69af12e7815b0fde544e77ee36b7b1a52f6522122173798a6630c0f82263970e7e98b |
C:\Users\Admin\scorchapparatus.dll
| MD5 | 7d19af9fe28f09457ea7298f66209d87 |
| SHA1 | df12676dd52ebb819f80e4bf8d065b4a2052fa25 |
| SHA256 | 8c02f8457ae523721015fef6ee912fa55bda6251498f93a5d3c35cbddf34ac6a |
| SHA512 | c336122f9a37e5e3c23ee7a2278e01b70fd09280110e62617546014cf0ea48647b231bbfb82854b98f194cea6f59f8c79c531c0b34f7d6001fa2c15d43b865fc |
memory/5036-1776-0x00007FFECC670000-0x00007FFECC7BA000-memory.dmp
memory/5036-1777-0x0000023E11A60000-0x0000023E11A83000-memory.dmp