Analysis Overview
SHA256
85e86cbf51a56f65c49fc944cf1feb52a6d016ebbec2c03d98729fad831f8369
Threat Level: Known bad
The file quisisana-ag.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-05 05:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-05 05:30
Reported
2024-02-05 05:33
Platform
win7-20231215-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js" "C:\Users\Admin\\flameremind.bat" && "C:\Users\Admin\\flameremind.bat"
C:\Windows\system32\findstr.exe
findstr /V militaryaberrant ""C:\Users\Admin\\flameremind.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode shutlowly milkceaseless.dll
C:\Windows\system32\rundll32.exe
rundll32 milkceaseless.dll,main
Network
Files
C:\Users\Admin\flameremind.bat
| MD5 | 23e3d1c59762530754a13de33a3c9de4 |
| SHA1 | 91b7454b6f762c1ae9e960f86c0e6007dd5493f4 |
| SHA256 | 69ba403c7495335c0782d71dd81ba72cb95b1ded180221700c23a3529ef75ebf |
| SHA512 | 9c0d36b360d8ec45e85b2aec5f2a19c3439be685a74fe7942ca72351fd585637d0c1bcfe99df82d5dd22561de0dc220e4ab45e97f2c493b75cd331f46d347f4a |
C:\Users\Admin\flameremind.bat
| MD5 | e911a2f692abe9095b0cb632b3f761b8 |
| SHA1 | d0e8543020d1dd42468feb2f2aaba71008af627b |
| SHA256 | ad9b42c8db2d1988f385b01e94efc3b65cc82244d61b50569e36a60b7b90422b |
| SHA512 | b087e6e4bb3cfef63504abb78ba694c9f50b8afb08e822f3db6523b6f455350e68e00ee1cad122ef4b9095f76bbad01f0ff8735d37555035d16c7ce72a768d4d |
C:\Users\Admin\shutlowly
| MD5 | 8be4924245711855ab5408272a9b774d |
| SHA1 | 32d519c63793bf2e679e20851e61f2536da20f66 |
| SHA256 | 4fdad29ba1a770bf1e3a2364ba6a878d1337d90bf7d8a5a6a69ced75ca17ad5b |
| SHA512 | a14b0844643c3ac767221d833f4fdcb9970f7b02e41d6d2463a58fd1f4bdce21452bb039e1590ee59373a161b88175b6c93aea993b791fe6b0cd66d144629308 |
C:\Users\Admin\milkceaseless.dll
| MD5 | a60bad8b6f3e947faa66ad0d05bcfa1c |
| SHA1 | 28b915487acf9afdf629680d46bc788f2a12854b |
| SHA256 | be3a424a3953660e72d10020220db88a5053612d89a049c36510f958a2f32761 |
| SHA512 | 1a8968367e08eb743206bbdcdbab0629510de1dd55e07c8ec1366fdfbdfc49aba722d4995d8b0f49c18ad83411a616bf6c333df69801f3f8a10e92ed71d138bd |
\Users\Admin\milkceaseless.dll
| MD5 | 494197a7585ef5c2aa3f364e0fc8aa67 |
| SHA1 | f5d049f21b0780ecaf8fd510577fcb48de1307ab |
| SHA256 | ced69f077b3de5a505ea0e00abf0d856ff7d1ebf59c692a3a6db07dc83bf2ec7 |
| SHA512 | fa47aa5dbe45a85a91c07f81fa25ecdae70d70e217e7888a70c6e5b778714d159bbe5f4716e865171d6337c20e2c4b032a090c0f8b367c18def80560d12f74a9 |
\Users\Admin\milkceaseless.dll
| MD5 | fdb1671d16c81a3b18c1838487d12d27 |
| SHA1 | 24e2cb27154d6769cf9df09a6576ef86a1667329 |
| SHA256 | 5245c32682f10b060a4bdc58d044a706bb57bea4bbc9e26a34ae0f8df8ce007f |
| SHA512 | d06b6724a8e9deca5d9eeb716781f86467b3aeacaad7a99bbdd39c4de9663b30b55a0bd36953af95d9e0e2e797a9fb71b5fd40cd1fc6338633eb0d36b3cf61b0 |
\Users\Admin\milkceaseless.dll
| MD5 | 4eb7cf3e1f56d09d603f9a7a73a10bdc |
| SHA1 | 2be709456cecf896a003c0dd64f805c134420658 |
| SHA256 | f02f35a8a2350ee2894659a1381fca982c87ce01bb75ba6c50f5667ca0482c5a |
| SHA512 | 019be6be0ab9446912a63b925c8cf8eb1cde03e8b2d434b382c9d51797a8206f50750f3d2312e7e71660401454dbeb35c00a6a18268af08166db05579cb8d5a5 |
\Users\Admin\milkceaseless.dll
| MD5 | c96181bef9139396fa381e85c586acc2 |
| SHA1 | 442408c9ff3e709a14563099e81c94912d06b7e9 |
| SHA256 | e4e038bbd7c91c6acc2c01f5d3b5a150311df0b517526c230d4305fc95e2d0ba |
| SHA512 | e8c384a3aeb55da003c68fdc0c45924215ebdd752ef76dee709234f02f52f31b994a78704e049d83068402ce36dd26ae819d185e010fead09638e8a342323708 |
memory/2628-1608-0x000007FEF6640000-0x000007FEF677B000-memory.dmp
memory/2628-1609-0x0000000000100000-0x0000000000123000-memory.dmp
memory/2628-1610-0x0000000000100000-0x0000000000123000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-05 05:30
Reported
2024-02-05 05:33
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 4504 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 5116 wrote to memory of 4504 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4504 wrote to memory of 4380 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4504 wrote to memory of 4380 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4504 wrote to memory of 1104 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4504 wrote to memory of 1104 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4504 wrote to memory of 1248 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 4504 wrote to memory of 1248 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js" "C:\Users\Admin\\flameremind.bat" && "C:\Users\Admin\\flameremind.bat"
C:\Windows\system32\findstr.exe
findstr /V militaryaberrant ""C:\Users\Admin\\flameremind.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode shutlowly milkceaseless.dll
C:\Windows\system32\rundll32.exe
rundll32 milkceaseless.dll,main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\flameremind.bat
| MD5 | 10f717ce253ee3e98895e910cd1f54e6 |
| SHA1 | b0621dc49ace0ae59a7e85550d6ba21f7731dc94 |
| SHA256 | f9f06fcc5c05a1bcc109b6e3dd0cb304a73b950da917f7667a0a69657968ef26 |
| SHA512 | 27c4024f18e36ed0cd0ffab2b2b3beab7ec6f29af0815b9e2cee60f91556d89099408a6f3b8e9f35803f031232c10f3debfaf80deec8f66717b0aa774233cce7 |
C:\Users\Admin\flameremind.bat
| MD5 | e911a2f692abe9095b0cb632b3f761b8 |
| SHA1 | d0e8543020d1dd42468feb2f2aaba71008af627b |
| SHA256 | ad9b42c8db2d1988f385b01e94efc3b65cc82244d61b50569e36a60b7b90422b |
| SHA512 | b087e6e4bb3cfef63504abb78ba694c9f50b8afb08e822f3db6523b6f455350e68e00ee1cad122ef4b9095f76bbad01f0ff8735d37555035d16c7ce72a768d4d |
C:\Users\Admin\shutlowly
| MD5 | d5ce23eb86f617ee28db6ee857d93981 |
| SHA1 | c43e13becee8edf2726723c45da7c7860970d9a0 |
| SHA256 | 44f7a8fdc85eeb71429c920f5d51a7f5ffee8baed7a2ac61c8118a53bd5cf68a |
| SHA512 | f5ef886b6804a048d094920223fef6e9ab41799f25fdb9f583912a2935a3d731041d95b98dbb7ca87c61c0bf8d3b1023807b76b11065dbc06e5720d7331205b4 |
C:\Users\Admin\milkceaseless.dll
| MD5 | 62caff9bfcfed849b27631a054ef3a68 |
| SHA1 | 9e082e5f78579234c74165724aa31dcca751d906 |
| SHA256 | 795f66526b90a375190736a674ddebb41bc1c36b73604b76117e7224227b8544 |
| SHA512 | 513ece2bd027cbd1151db685ee991403b686ea81ecada264c7b6b5ce5944023fadae9f82860bdf4bea2682862441d4a906a971998af75519493a4481b9e8440a |
C:\Users\Admin\milkceaseless.dll
| MD5 | dbc4929c48a2032bfe221a9fdf857fd7 |
| SHA1 | 0c31b0dff201a14c87dc18d16f0bcbe07936ea6e |
| SHA256 | c4e1fd1d49ee899512ad4d38a722e6020e99cee8e68eef7196849911dd102214 |
| SHA512 | e2c99b14386548520ea6e413bf7cbd52fe65c186f273e08c727de9760ce9aaaabeca8eacdfcd1bf0e16a4200cd94a585780c10081670d82db097db6bb64801e7 |
memory/1248-1605-0x00007FFB92B70000-0x00007FFB92CAB000-memory.dmp
memory/1248-1606-0x000001BCA3F50000-0x000001BCA3F73000-memory.dmp