Analysis Overview
SHA256
8ca6dc7fcf25e0e7d4a521d35ec27d08fd5b2832f06f2aa32b52b36b69f47c8c
Threat Level: Known bad
The file quisisana-ag.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-06 16:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 16:53
Reported
2024-02-06 16:56
Platform
win7-20231215-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"
C:\Windows\system32\findstr.exe
findstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode cherryargument high-pitchedhandsomely.dll
C:\Windows\system32\cmd.exe
cmd /C rundll32 high-pitchedhandsomely.dll,main
C:\Windows\system32\rundll32.exe
rundll32 high-pitchedhandsomely.dll,main
Network
Files
C:\Users\Admin\yelltame.bat
| MD5 | 9d68a860c54584dd2d52f465160ee6ad |
| SHA1 | 42270d711512467421fd9f15530a70476f383172 |
| SHA256 | cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff |
| SHA512 | 352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539 |
C:\Users\Admin\cherryargument
| MD5 | e0ab76e2f14e9a8d3314f0d88924c318 |
| SHA1 | debed77dc28f418fa1d4d3c76d11f543cd75ce73 |
| SHA256 | ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca |
| SHA512 | e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac |
C:\Users\Admin\high-pitchedhandsomely.dll
| MD5 | 7510774ef92e9c6a391b92a0bd3f408b |
| SHA1 | 741652f31e83c6ed6908ed4e0cfc46f79451d985 |
| SHA256 | 4254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c |
| SHA512 | a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264 |
memory/1952-201-0x000007FEF76D0000-0x000007FEF7711000-memory.dmp
memory/1952-202-0x0000000000110000-0x0000000000133000-memory.dmp
memory/1952-203-0x0000000000110000-0x0000000000133000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 16:53
Reported
2024-02-06 16:56
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
123s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"
C:\Windows\system32\findstr.exe
findstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode cherryargument high-pitchedhandsomely.dll
C:\Windows\system32\cmd.exe
cmd /C rundll32 high-pitchedhandsomely.dll,main
C:\Windows\system32\rundll32.exe
rundll32 high-pitchedhandsomely.dll,main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\yelltame.bat
| MD5 | 9d68a860c54584dd2d52f465160ee6ad |
| SHA1 | 42270d711512467421fd9f15530a70476f383172 |
| SHA256 | cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff |
| SHA512 | 352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539 |
C:\Users\Admin\cherryargument
| MD5 | e0ab76e2f14e9a8d3314f0d88924c318 |
| SHA1 | debed77dc28f418fa1d4d3c76d11f543cd75ce73 |
| SHA256 | ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca |
| SHA512 | e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac |
C:\Users\Admin\high-pitchedhandsomely.dll
| MD5 | 7510774ef92e9c6a391b92a0bd3f408b |
| SHA1 | 741652f31e83c6ed6908ed4e0cfc46f79451d985 |
| SHA256 | 4254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c |
| SHA512 | a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264 |
memory/4820-198-0x00007FFED12E0000-0x00007FFED1321000-memory.dmp
memory/4820-199-0x000002A53F2B0000-0x000002A53F2D3000-memory.dmp