Analysis Overview
SHA256
51fae6ff6a5f204c0255eb45782625d68d18df04cc6318cafa402b0e94766a74
Threat Level: Known bad
The file 30012024_1906_korgmore.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 11:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 11:05
Reported
2024-01-30 11:08
Platform
win7-20231215-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\147981734725653.js" "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat" && "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NUL
C:\Windows\system32\findstr.exe
findstr /V stickykick ""C:\Users\Admin\AppData\Local\Temp\\killwindow.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode economicknife playgroundstructure.dll
C:\Windows\system32\rundll32.exe
rundll32 playgroundstructure.dll,m
C:\Windows\system32\cmd.exe
cmd /c rundll32 playgroundstructure.dll,m
Network
Files
C:\Users\Admin\AppData\Local\Temp\killwindow.bat
| MD5 | f0aa642d6a0e4a0021bb5a006da8f659 |
| SHA1 | 6da83194b6e3acb7fa7537b179b96c0a21654983 |
| SHA256 | 7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42 |
| SHA512 | bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e |
C:\Users\Admin\AppData\Local\Temp\economicknife
| MD5 | b1eb68af4adfd3c1b2c9bebc96f7476f |
| SHA1 | c0b9a3b8b98a07884d6a200c9f1f4789584efffe |
| SHA256 | 8ef40cddfde7f269cee9d4167f78540c74a5176c11a875d3e139b39d784616d2 |
| SHA512 | 5e9860af3ac660b24a41bbffd3b4b1b6fad213cc22efe7eeb103384e1b237e21f610cec63743f5329a9ad0c4b0452e5bb9eb56ca70a10b7b23240de5f2696bba |
C:\Users\Admin\AppData\Local\Temp\playgroundstructure.dll
| MD5 | 6a1f4bd07b38e35b007978bb130742b5 |
| SHA1 | fa396ca0dcc3738555f07c6ffbcbbd48ab67de92 |
| SHA256 | cce183b5df0c236e4d89fb64d34c35909b7fc04c54b3447340b2c44dd7030593 |
| SHA512 | e9dab28fb33f2cec7dec5332236a55554d5ba6e8eaea92cd7e6b0c47dbce8b08c7b45e4c11abd017f4cddd7930ee7214abefeccecba68362157f24710906b657 |
memory/2504-1789-0x00000000002A0000-0x00000000002C3000-memory.dmp
memory/2504-1788-0x000007FEF70E0000-0x000007FEF71B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 11:05
Reported
2024-01-30 11:08
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 4424 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4812 wrote to memory of 4424 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 4424 wrote to memory of 5072 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4424 wrote to memory of 5072 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4424 wrote to memory of 632 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4424 wrote to memory of 632 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 4424 wrote to memory of 3880 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 4424 wrote to memory of 3880 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3880 wrote to memory of 368 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3880 wrote to memory of 368 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\147981734725653.js" "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat" && "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\findstr.exe
findstr /V stickykick ""C:\Users\Admin\AppData\Local\Temp\\killwindow.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode economicknife playgroundstructure.dll
C:\Windows\system32\cmd.exe
cmd /c rundll32 playgroundstructure.dll,m
C:\Windows\system32\rundll32.exe
rundll32 playgroundstructure.dll,m
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\killwindow.bat
| MD5 | f0aa642d6a0e4a0021bb5a006da8f659 |
| SHA1 | 6da83194b6e3acb7fa7537b179b96c0a21654983 |
| SHA256 | 7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42 |
| SHA512 | bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e |
C:\Users\Admin\AppData\Local\Temp\economicknife
| MD5 | b1eb68af4adfd3c1b2c9bebc96f7476f |
| SHA1 | c0b9a3b8b98a07884d6a200c9f1f4789584efffe |
| SHA256 | 8ef40cddfde7f269cee9d4167f78540c74a5176c11a875d3e139b39d784616d2 |
| SHA512 | 5e9860af3ac660b24a41bbffd3b4b1b6fad213cc22efe7eeb103384e1b237e21f610cec63743f5329a9ad0c4b0452e5bb9eb56ca70a10b7b23240de5f2696bba |
C:\Users\Admin\AppData\Local\Temp\playgroundstructure.dll
| MD5 | 6a1f4bd07b38e35b007978bb130742b5 |
| SHA1 | fa396ca0dcc3738555f07c6ffbcbbd48ab67de92 |
| SHA256 | cce183b5df0c236e4d89fb64d34c35909b7fc04c54b3447340b2c44dd7030593 |
| SHA512 | e9dab28fb33f2cec7dec5332236a55554d5ba6e8eaea92cd7e6b0c47dbce8b08c7b45e4c11abd017f4cddd7930ee7214abefeccecba68362157f24710906b657 |
memory/368-1756-0x00007FF984A10000-0x00007FF984AE1000-memory.dmp
memory/368-1757-0x00000214EC770000-0x00000214EC793000-memory.dmp