Analysis Overview
SHA256
cd9975d1ae504146c3b5a8f80097b89616ea752b88d43d474b44ea4cbd4909f6
Threat Level: Known bad
The file saarbrueckerzeitung.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-12 10:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-12 10:31
Reported
2024-01-12 10:34
Platform
win7-20231215-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js" "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat" && "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat"
C:\Windows\system32\findstr.exe
findstr /V formfamiliar ""C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode jellyfascinated pastoraldisturbed.dll
C:\Windows\system32\cmd.exe
cmd /c rundll32 pastoraldisturbed.dll,x
C:\Windows\system32\rundll32.exe
rundll32 pastoraldisturbed.dll,x
Network
Files
C:\Users\Admin\AppData\Local\Temp\rhythmmask.bat
| MD5 | a3134285c9755a420030fc7622e231e1 |
| SHA1 | eae99bc500c42855c20852865a1dec2f3dfff4d0 |
| SHA256 | a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4 |
| SHA512 | be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3 |
C:\Users\Admin\AppData\Local\Temp\rhythmmask.bat
| MD5 | 0a2442a55a7c864f5521f77692123503 |
| SHA1 | f13f71c1ae76f37aa764baf9116424c9ee6c2bab |
| SHA256 | b73e9d1ef20dc259a939b0156bdef390b7b06791726d7c39e68e0bd4d138f8da |
| SHA512 | fb275a65ed287b8f5ffc10576015e45ed1770dae74846e5cdf98e680a51b915791b79e48bf3dbbbaf9bef652220f662603bcc684f89ef37354022f1d561f335b |
C:\Users\Admin\AppData\Local\Temp\jellyfascinated
| MD5 | d13b3301032f805c7ef6c4db65ab7517 |
| SHA1 | e41ef07de3d051e5b48e26e3ee9bef3655df2b1c |
| SHA256 | 7535ebd4df3bd62a496c03ba8cf206a90975617822509bb1dbd3201898b1f542 |
| SHA512 | 099f1aad424a74cbc4ebe76356be6370796ad26ecf3eb9e212df8e100fadc00eff5dc8e3b1376f2a8d683a904d7b22394c1420a42bf6be8f843cce4e1c06fd17 |
C:\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll
| MD5 | d49ebbe435403196599ac66609fb9ed6 |
| SHA1 | 0078e421e01c7dd1f0a07b02ce81acfb8a814996 |
| SHA256 | 5bf9a3416abddcb0761f9dae2512ac2d840d23f1b3ae870fef73dd249c48a26b |
| SHA512 | d7b129a10c6f4792302178a8799b7bd9b3197b1548a1fa35817f0671bdef8088f3c50dc894615b9b8fddc5deadb30ea2db8665e53d5f40bf79a15a79391285bf |
\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll
| MD5 | a3d946e2257b73855ec73e7e88f678ec |
| SHA1 | 59f744b63e0b7b3f96a3fd547e1f3ee2f55264e3 |
| SHA256 | b7d09a665f1cef173b356cb5e247e8772191509aeb4bb9207702a7086772a5fa |
| SHA512 | 73c0fd2834f19f4195163f79f1b5d7087e65897ae1fc4371bf9f565ae7128d518f702b435b41b5a87687f0b3aba47f77bf26660db5b13a94418a298a77887802 |
\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll
| MD5 | 6614f476fb63899ad46ba6a16d63acdf |
| SHA1 | 7893c04aab53ed46bb619d9daa09d3eea6d13b27 |
| SHA256 | 2efc86df4c610345726344329166b23c603ad65d4f4568dafc2be4ae87f487d7 |
| SHA512 | 5690dd8ace834d17d76f20935de9e0efea60233ca498f15bebd8a74e9a75098b99f0763ace1f81631e0dc8bb9b5a7124cce126b51c508d439ca53d3d48684d53 |
\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll
| MD5 | 36300033218ae6f442138fa587d16fa8 |
| SHA1 | c7f7d45b26844016feebd482849e04117508492e |
| SHA256 | a879db27e8045ea131a84cb620062b16420393a3503432efd3bbab7c03135140 |
| SHA512 | 45738d3ac27834fde52fcd4fb232eb1abbfa8b60f44cc6aa107bddd852cddaafc33a3980d347a119238295bd0bf0e031eba22b3ff0aaf65e7b551475f9dc4732 |
\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll
| MD5 | a9e2379ab5ea2bf143d3a6c1fc32cae2 |
| SHA1 | 0168e1e0824a3034043aac75e3181cc4d2bcd3cc |
| SHA256 | ebec35dbc6046aea1baa205c83eca4cb34c914481845c1d61c94721e8b20a5fb |
| SHA512 | b260f2eed9778951087741a2b8ead05c234eaf7e32afa966740f6b13ad1bb4a1ae79c0494c55baeeeec7df8dfaa28d749f3d8f208739da6e748100f15527b166 |
memory/1728-6837-0x000007FEF57B0000-0x000007FEF5B95000-memory.dmp
memory/1728-6838-0x0000000000100000-0x0000000000121000-memory.dmp
memory/1728-6839-0x0000000000100000-0x0000000000121000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-12 10:31
Reported
2024-01-12 10:34
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 4672 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 392 wrote to memory of 4672 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4672 wrote to memory of 3444 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4672 wrote to memory of 3444 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4672 wrote to memory of 2416 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4672 wrote to memory of 2416 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4672 wrote to memory of 1760 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 4672 wrote to memory of 1760 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1760 wrote to memory of 772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1760 wrote to memory of 772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js" "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat" && "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat"
C:\Windows\system32\findstr.exe
findstr /V formfamiliar ""C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode jellyfascinated pastoraldisturbed.dll
C:\Windows\system32\rundll32.exe
rundll32 pastoraldisturbed.dll,x
C:\Windows\system32\cmd.exe
cmd /c rundll32 pastoraldisturbed.dll,x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.211:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\rhythmmask.bat
| MD5 | a3134285c9755a420030fc7622e231e1 |
| SHA1 | eae99bc500c42855c20852865a1dec2f3dfff4d0 |
| SHA256 | a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4 |
| SHA512 | be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3 |
C:\Users\Admin\AppData\Local\Temp\jellyfascinated
| MD5 | f25ccc6a8ea2939b56ba49c565315a09 |
| SHA1 | dd7e6834d648fc6e23a4e786f663f6b8956822a0 |
| SHA256 | 650cf0f80f4a18c0ace89fcc09782c2cfbe3c5b4326dc30e731bf06325fbeee3 |
| SHA512 | d9da2bff35c1362b4b6422bc17ae8b5f264a697d0d4af9c3c8d8f7bcce8b327e994399f9fa619e9f63c66d505da73232c0832327b3b084c1fe6649f8761aca89 |
C:\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll
| MD5 | 8c895b48f64861004d2b88f62c01822f |
| SHA1 | 00fee5c36ad5037b48d4ed031d485a1a20245258 |
| SHA256 | 20e1ff405cc7cae8fceb2a885198ce75db79f47a1e96972948a17a86ebf31345 |
| SHA512 | bc99b7fb3079bed612f0814267ed7acb6901e4259785abda4cf2e8ab50feb2c6a6012bb403ea521dd478783f76edd0bf2362feceed4bee06287aad55536c4697 |
memory/772-6834-0x00007FF9A8400000-0x00007FF9A87E5000-memory.dmp
memory/772-6835-0x0000015E59720000-0x0000015E59741000-memory.dmp
memory/772-6836-0x0000015E59720000-0x0000015E59741000-memory.dmp