Analysis Overview
SHA256
b7b12febaaca57c9e2eb77a602091823673e44cdc104ec31f053fd80f1c4c9bf
Threat Level: Known bad
The file XDR_ResponseApp_CollectFile_RM-20240219-00004_91d04b38-9cf1-40cb-bcaa-7774254ddf2d_20240219T145443Z.7z was found to be: Known bad.
Malicious Activity Summary
Strela
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-19 16:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-19 16:59
Reported
2024-02-19 17:02
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
199s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\12843_12787719123142.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\12843_12787719123142.js" "C:\Users\Admin\\hardgorgeous.bat" && "C:\Users\Admin\\hardgorgeous.bat"
C:\Windows\system32\findstr.exe
findstr /V ultrasilver ""C:\Users\Admin\\hardgorgeous.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode tacitcarriage clubadventurous.dll
C:\Windows\system32\rundll32.exe
rundll32 clubadventurous.dll,main
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\wscript.exe
wscript.exe
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\Users\Admin\AppData\Local\Temp\12843_12787719123142.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.81.204.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\hardgorgeous.bat
| MD5 | f8486079374c877838105e2abee989ea |
| SHA1 | 42492020df4f434b815ba4a4805f29a986f6b797 |
| SHA256 | 0747d133621a738dfb820f8d895903b29261da67e664380d2a914441463d27ed |
| SHA512 | 7d42acf7a0c0632d4f2917c654878b2bea7b49e49a49d928cad1548e4e92b2b8ae89d0f9b0da50184ae6d4c123625436fb0ae676bdb36849c7800e39fe54e7cf |
C:\Users\Admin\tacitcarriage
| MD5 | 9f2d966e15473fbdd5777a10e0feb621 |
| SHA1 | 239e9d101b5daa4ff42fbc3c254d17011b3ca076 |
| SHA256 | 558e81e42c38f21889374c64c8b5bd2ccdd6c541f801deb14b7cb883442599cb |
| SHA512 | 717067edee06b410aef765c564e59f9a450296544918a05263f8f4e5c59979208b8871ef82343a416d68470e10de03d93cb69c61a287a2bf6d2a769127dfed72 |
C:\Users\Admin\clubadventurous.dll
| MD5 | dbadec458fa715463aa3a94e48e44d96 |
| SHA1 | 20ec3cbf9c6be6dea074fc92f396a6eb4f811963 |
| SHA256 | fdebb69b03f80d35557f73187616e510c62710ff2e95c4d6281eb0fc71f63d14 |
| SHA512 | c97448e76bf4a03ef2b64c11f2fed33159b3f8874c9306fad804d260c3655b27a49735247a2a134a6ed9fd44628484549514ddeb9e0ef9897cc99d327468a6ed |
memory/804-1554-0x000001DA7EA90000-0x000001DA7EAB3000-memory.dmp
memory/804-1553-0x00007FFDC7AB0000-0x00007FFDC7BE0000-memory.dmp