Malware Analysis Report

2025-01-18 09:29

Sample ID 240209-kt955abf77
Target 09022024_1655_kindergarten-wiesenbronn.zip
SHA256 ce01439b4563ef42d1536e99b4147a083f227a6639b18a4e4d9944618e4338c4
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce01439b4563ef42d1536e99b4147a083f227a6639b18a4e4d9944618e4338c4

Threat Level: Known bad

The file 09022024_1655_kindergarten-wiesenbronn.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-09 08:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-09 08:54

Reported

2024-02-09 08:57

Platform

win7-20231215-en

Max time kernel

117s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js" "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat" && "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat"

C:\Windows\system32\findstr.exe

FINDSTR /V S7MOTM ""C:\Users\Admin\AppData\Local\Temp\GW54GT.bat""

C:\Windows\system32\certutil.exe

CERTUTIL -f -DEcODEhEX K4CFQY FZ7JDQ.dll

C:\Windows\system32\rundll32.exe

ruNDLL32 FZ7JDQ.dll,f

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\GW54GT.bat

MD5 cf65d4687c41648679c9cdcb24a0e824
SHA1 f3966ccd310aba1e6161015f6cf6c04ccb005c0f
SHA256 95e0322d029d6cda1d65a9def576455be66a7520f14fd2eabcecf1f5ddeec5e1
SHA512 e1f2bf2156459b6c5c54bdcf1ac9e86d00d4d8f181d3ae5cf0bd890e683fc19d7c6d7aa10ae826903cdd46aaae9dc4bcd2ee709e5b6343401d002f841ebb1d25

C:\Users\Admin\AppData\Local\Temp\K4CFQY

MD5 4263cc10f04dc0aa11486669da00d9b2
SHA1 84276ef5f7f2afb0f41c92f60eb5a75b8e234add
SHA256 f42cc8f1b5c5242e53ec1243ae4e2af167a7b2722cf040944e4289ee5aec2c16
SHA512 912964b813c348550d8dc2e8dde4f9dcce9715bddf0d6b6dcc56f8bf9c96e387c1d97dd0b73b24691acec14ad03747e7d8477afeed8ff5767605a9c80e95c629

C:\Users\Admin\AppData\Local\Temp\FZ7JDQ.dll

MD5 5d96f1a31b68f6449fbd50457b14e280
SHA1 8db7c9989062797441b69eebd1f2cd07e2199a22
SHA256 cfbb6eb60214fcccb2a3e868b4ff6b4ccceecffa50057582be87c4c9f3216c4a
SHA512 2ea1ce39ae4c8a9d4620013d0919311dcb8c9e3958991d4bf4059dfd99e3a3d4e9396a07ae73d7a983e2c0d6cb4f031418d62e1ab5729fe4303b4b1d722bfaa7

memory/2576-18-0x000000006D7C0000-0x000000006D81B000-memory.dmp

memory/2576-19-0x0000000000280000-0x00000000002A1000-memory.dmp

memory/2576-20-0x0000000000280000-0x00000000002A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-09 08:54

Reported

2024-02-09 08:57

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 3952 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 5088 wrote to memory of 3952 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3952 wrote to memory of 3292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 3952 wrote to memory of 3292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 3952 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 3952 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 3952 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3952 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js" "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat" && "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat"

C:\Windows\system32\findstr.exe

FINDSTR /V S7MOTM ""C:\Users\Admin\AppData\Local\Temp\GW54GT.bat""

C:\Windows\system32\certutil.exe

CERTUTIL -f -DEcODEhEX K4CFQY FZ7JDQ.dll

C:\Windows\system32\rundll32.exe

ruNDLL32 FZ7JDQ.dll,f

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\GW54GT.bat

MD5 cf65d4687c41648679c9cdcb24a0e824
SHA1 f3966ccd310aba1e6161015f6cf6c04ccb005c0f
SHA256 95e0322d029d6cda1d65a9def576455be66a7520f14fd2eabcecf1f5ddeec5e1
SHA512 e1f2bf2156459b6c5c54bdcf1ac9e86d00d4d8f181d3ae5cf0bd890e683fc19d7c6d7aa10ae826903cdd46aaae9dc4bcd2ee709e5b6343401d002f841ebb1d25

C:\Users\Admin\AppData\Local\Temp\K4CFQY

MD5 4263cc10f04dc0aa11486669da00d9b2
SHA1 84276ef5f7f2afb0f41c92f60eb5a75b8e234add
SHA256 f42cc8f1b5c5242e53ec1243ae4e2af167a7b2722cf040944e4289ee5aec2c16
SHA512 912964b813c348550d8dc2e8dde4f9dcce9715bddf0d6b6dcc56f8bf9c96e387c1d97dd0b73b24691acec14ad03747e7d8477afeed8ff5767605a9c80e95c629

C:\Users\Admin\AppData\Local\Temp\FZ7JDQ.dll

MD5 5d96f1a31b68f6449fbd50457b14e280
SHA1 8db7c9989062797441b69eebd1f2cd07e2199a22
SHA256 cfbb6eb60214fcccb2a3e868b4ff6b4ccceecffa50057582be87c4c9f3216c4a
SHA512 2ea1ce39ae4c8a9d4620013d0919311dcb8c9e3958991d4bf4059dfd99e3a3d4e9396a07ae73d7a983e2c0d6cb4f031418d62e1ab5729fe4303b4b1d722bfaa7

memory/1420-15-0x000002138C5B0000-0x000002138C5D1000-memory.dmp

memory/1420-16-0x000000006D7C0000-0x000000006D81B000-memory.dmp