Analysis Overview
SHA256
12572cb7b186f8ab42369828e636bf1b14100b53e57569d82d690838c112a9e9
Threat Level: Known bad
The file kroschke.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 11:45
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-26 11:45
Reported
2023-10-26 11:48
Platform
win7-20231020-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js" "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat" && "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat"
C:\Windows\system32\findstr.exe
findstr /V elitecow ""C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode absorbingworkable parsimoniousdidactic.dll
C:\Windows\system32\regsvr32.exe
regsvr32 parsimoniousdidactic.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat
| MD5 | 4ba46eb8264924a7c2b426f585d1c2c3 |
| SHA1 | 8fbc96590228889f0b4436b24b0936f00dd7c3f3 |
| SHA256 | 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70 |
| SHA512 | 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986 |
C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat
| MD5 | 4ba46eb8264924a7c2b426f585d1c2c3 |
| SHA1 | 8fbc96590228889f0b4436b24b0936f00dd7c3f3 |
| SHA256 | 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70 |
| SHA512 | 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986 |
C:\Users\Admin\AppData\Local\Temp\absorbingworkable
| MD5 | 0ef6ff6531a33e068f6167c80d8a332a |
| SHA1 | 47eed73820d55ff30571ede08c12adf5900f87f4 |
| SHA256 | 5e294ba7f829f0a3e8667c785c51594445b79d10aabde031f7dba0e5b8d8dcc4 |
| SHA512 | f44cd161c5e4699049af624ce30879ef3d54193020a9d8a11ebd3f06874b828cb4248732e2c0dea0832884e1864c1396cdbba6abf70e3bbbd01fe8ae01f0655b |
C:\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll
| MD5 | 344de2ad2b2e208ff24808486f32a99c |
| SHA1 | 9802a9af76cb2816a995213da7fdd7d416b29e47 |
| SHA256 | 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e |
| SHA512 | f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a |
\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll
| MD5 | 344de2ad2b2e208ff24808486f32a99c |
| SHA1 | 9802a9af76cb2816a995213da7fdd7d416b29e47 |
| SHA256 | 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e |
| SHA512 | f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a |
memory/1488-9698-0x00000000001A0000-0x00000000001C1000-memory.dmp
memory/1488-9699-0x000000006D7C0000-0x000000006DB41000-memory.dmp
memory/1488-9700-0x00000000001A0000-0x00000000001C1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-26 11:45
Reported
2023-10-26 11:48
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 384 wrote to memory of 2068 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 384 wrote to memory of 2068 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 2068 wrote to memory of 2720 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 2068 wrote to memory of 2720 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 2068 wrote to memory of 3920 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 2068 wrote to memory of 3920 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 2068 wrote to memory of 4120 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 2068 wrote to memory of 4120 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js" "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat" && "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat"
C:\Windows\system32\findstr.exe
findstr /V elitecow ""C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode absorbingworkable parsimoniousdidactic.dll
C:\Windows\system32\regsvr32.exe
regsvr32 parsimoniousdidactic.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat
| MD5 | 4ba46eb8264924a7c2b426f585d1c2c3 |
| SHA1 | 8fbc96590228889f0b4436b24b0936f00dd7c3f3 |
| SHA256 | 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70 |
| SHA512 | 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986 |
C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat
| MD5 | 4ba46eb8264924a7c2b426f585d1c2c3 |
| SHA1 | 8fbc96590228889f0b4436b24b0936f00dd7c3f3 |
| SHA256 | 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70 |
| SHA512 | 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986 |
C:\Users\Admin\AppData\Local\Temp\absorbingworkable
| MD5 | 0ef6ff6531a33e068f6167c80d8a332a |
| SHA1 | 47eed73820d55ff30571ede08c12adf5900f87f4 |
| SHA256 | 5e294ba7f829f0a3e8667c785c51594445b79d10aabde031f7dba0e5b8d8dcc4 |
| SHA512 | f44cd161c5e4699049af624ce30879ef3d54193020a9d8a11ebd3f06874b828cb4248732e2c0dea0832884e1864c1396cdbba6abf70e3bbbd01fe8ae01f0655b |
C:\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll
| MD5 | 344de2ad2b2e208ff24808486f32a99c |
| SHA1 | 9802a9af76cb2816a995213da7fdd7d416b29e47 |
| SHA256 | 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e |
| SHA512 | f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a |
C:\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll
| MD5 | 344de2ad2b2e208ff24808486f32a99c |
| SHA1 | 9802a9af76cb2816a995213da7fdd7d416b29e47 |
| SHA256 | 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e |
| SHA512 | f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a |
memory/4120-9699-0x000000006D7C0000-0x000000006DB41000-memory.dmp
memory/4120-9698-0x00000000005C0000-0x00000000005E1000-memory.dmp
memory/4120-9700-0x00000000005C0000-0x00000000005E1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 11:45
Reported
2023-10-26 11:48
Platform
win7-20231025-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kroschke.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-26 11:45
Reported
2023-10-26 11:48
Platform
win10v2004-20231023-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kroschke.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |