Malware Analysis Report

2025-01-18 09:30

Sample ID 240130-m7cswsefc5
Target 30012024_1906_korgmore.zip
SHA256 51fae6ff6a5f204c0255eb45782625d68d18df04cc6318cafa402b0e94766a74
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51fae6ff6a5f204c0255eb45782625d68d18df04cc6318cafa402b0e94766a74

Threat Level: Known bad

The file 30012024_1906_korgmore.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 11:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 11:05

Reported

2024-01-30 11:08

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2440 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2168 wrote to memory of 2440 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2168 wrote to memory of 2440 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2440 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2440 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2440 wrote to memory of 2124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2440 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2440 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2440 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2440 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2440 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2440 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2440 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2060 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2060 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\147981734725653.js" "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat" && "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NUL

C:\Windows\system32\findstr.exe

findstr /V stickykick ""C:\Users\Admin\AppData\Local\Temp\\killwindow.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode economicknife playgroundstructure.dll

C:\Windows\system32\rundll32.exe

rundll32 playgroundstructure.dll,m

C:\Windows\system32\cmd.exe

cmd /c rundll32 playgroundstructure.dll,m

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\killwindow.bat

MD5 f0aa642d6a0e4a0021bb5a006da8f659
SHA1 6da83194b6e3acb7fa7537b179b96c0a21654983
SHA256 7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42
SHA512 bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e

C:\Users\Admin\AppData\Local\Temp\economicknife

MD5 b1eb68af4adfd3c1b2c9bebc96f7476f
SHA1 c0b9a3b8b98a07884d6a200c9f1f4789584efffe
SHA256 8ef40cddfde7f269cee9d4167f78540c74a5176c11a875d3e139b39d784616d2
SHA512 5e9860af3ac660b24a41bbffd3b4b1b6fad213cc22efe7eeb103384e1b237e21f610cec63743f5329a9ad0c4b0452e5bb9eb56ca70a10b7b23240de5f2696bba

C:\Users\Admin\AppData\Local\Temp\playgroundstructure.dll

MD5 6a1f4bd07b38e35b007978bb130742b5
SHA1 fa396ca0dcc3738555f07c6ffbcbbd48ab67de92
SHA256 cce183b5df0c236e4d89fb64d34c35909b7fc04c54b3447340b2c44dd7030593
SHA512 e9dab28fb33f2cec7dec5332236a55554d5ba6e8eaea92cd7e6b0c47dbce8b08c7b45e4c11abd017f4cddd7930ee7214abefeccecba68362157f24710906b657

memory/2504-1789-0x00000000002A0000-0x00000000002C3000-memory.dmp

memory/2504-1788-0x000007FEF70E0000-0x000007FEF71B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 11:05

Reported

2024-01-30 11:08

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 4424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4812 wrote to memory of 4424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4424 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4424 wrote to memory of 5072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4424 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4424 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4424 wrote to memory of 3880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 3880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3880 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\147981734725653.js" "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat" && "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\findstr.exe

findstr /V stickykick ""C:\Users\Admin\AppData\Local\Temp\\killwindow.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode economicknife playgroundstructure.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 playgroundstructure.dll,m

C:\Windows\system32\rundll32.exe

rundll32 playgroundstructure.dll,m

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\killwindow.bat

MD5 f0aa642d6a0e4a0021bb5a006da8f659
SHA1 6da83194b6e3acb7fa7537b179b96c0a21654983
SHA256 7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42
SHA512 bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e

C:\Users\Admin\AppData\Local\Temp\economicknife

MD5 b1eb68af4adfd3c1b2c9bebc96f7476f
SHA1 c0b9a3b8b98a07884d6a200c9f1f4789584efffe
SHA256 8ef40cddfde7f269cee9d4167f78540c74a5176c11a875d3e139b39d784616d2
SHA512 5e9860af3ac660b24a41bbffd3b4b1b6fad213cc22efe7eeb103384e1b237e21f610cec63743f5329a9ad0c4b0452e5bb9eb56ca70a10b7b23240de5f2696bba

C:\Users\Admin\AppData\Local\Temp\playgroundstructure.dll

MD5 6a1f4bd07b38e35b007978bb130742b5
SHA1 fa396ca0dcc3738555f07c6ffbcbbd48ab67de92
SHA256 cce183b5df0c236e4d89fb64d34c35909b7fc04c54b3447340b2c44dd7030593
SHA512 e9dab28fb33f2cec7dec5332236a55554d5ba6e8eaea92cd7e6b0c47dbce8b08c7b45e4c11abd017f4cddd7930ee7214abefeccecba68362157f24710906b657

memory/368-1756-0x00007FF984A10000-0x00007FF984AE1000-memory.dmp

memory/368-1757-0x00000214EC770000-0x00000214EC793000-memory.dmp