Analysis Overview
SHA256
ce01439b4563ef42d1536e99b4147a083f227a6639b18a4e4d9944618e4338c4
Threat Level: Known bad
The file 09022024_1655_kindergarten-wiesenbronn.zip was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-09 08:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-09 08:54
Reported
2024-02-09 08:57
Platform
win7-20231215-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js" "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat" && "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat"
C:\Windows\system32\findstr.exe
FINDSTR /V S7MOTM ""C:\Users\Admin\AppData\Local\Temp\GW54GT.bat""
C:\Windows\system32\certutil.exe
CERTUTIL -f -DEcODEhEX K4CFQY FZ7JDQ.dll
C:\Windows\system32\rundll32.exe
ruNDLL32 FZ7JDQ.dll,f
Network
Files
C:\Users\Admin\AppData\Local\Temp\GW54GT.bat
| MD5 | cf65d4687c41648679c9cdcb24a0e824 |
| SHA1 | f3966ccd310aba1e6161015f6cf6c04ccb005c0f |
| SHA256 | 95e0322d029d6cda1d65a9def576455be66a7520f14fd2eabcecf1f5ddeec5e1 |
| SHA512 | e1f2bf2156459b6c5c54bdcf1ac9e86d00d4d8f181d3ae5cf0bd890e683fc19d7c6d7aa10ae826903cdd46aaae9dc4bcd2ee709e5b6343401d002f841ebb1d25 |
C:\Users\Admin\AppData\Local\Temp\K4CFQY
| MD5 | 4263cc10f04dc0aa11486669da00d9b2 |
| SHA1 | 84276ef5f7f2afb0f41c92f60eb5a75b8e234add |
| SHA256 | f42cc8f1b5c5242e53ec1243ae4e2af167a7b2722cf040944e4289ee5aec2c16 |
| SHA512 | 912964b813c348550d8dc2e8dde4f9dcce9715bddf0d6b6dcc56f8bf9c96e387c1d97dd0b73b24691acec14ad03747e7d8477afeed8ff5767605a9c80e95c629 |
C:\Users\Admin\AppData\Local\Temp\FZ7JDQ.dll
| MD5 | 5d96f1a31b68f6449fbd50457b14e280 |
| SHA1 | 8db7c9989062797441b69eebd1f2cd07e2199a22 |
| SHA256 | cfbb6eb60214fcccb2a3e868b4ff6b4ccceecffa50057582be87c4c9f3216c4a |
| SHA512 | 2ea1ce39ae4c8a9d4620013d0919311dcb8c9e3958991d4bf4059dfd99e3a3d4e9396a07ae73d7a983e2c0d6cb4f031418d62e1ab5729fe4303b4b1d722bfaa7 |
memory/2576-18-0x000000006D7C0000-0x000000006D81B000-memory.dmp
memory/2576-19-0x0000000000280000-0x00000000002A1000-memory.dmp
memory/2576-20-0x0000000000280000-0x00000000002A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-09 08:54
Reported
2024-02-09 08:57
Platform
win10v2004-20231215-en
Max time kernel
137s
Max time network
149s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5088 wrote to memory of 3952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 5088 wrote to memory of 3952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 3952 wrote to memory of 3292 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 3952 wrote to memory of 3292 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 3952 wrote to memory of 1880 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 3952 wrote to memory of 1880 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 3952 wrote to memory of 1420 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3952 wrote to memory of 1420 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\kindergarten-wiesenbronn.js" "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat" && "C:\Users\Admin\AppData\Local\Temp\GW54GT.bat"
C:\Windows\system32\findstr.exe
FINDSTR /V S7MOTM ""C:\Users\Admin\AppData\Local\Temp\GW54GT.bat""
C:\Windows\system32\certutil.exe
CERTUTIL -f -DEcODEhEX K4CFQY FZ7JDQ.dll
C:\Windows\system32\rundll32.exe
ruNDLL32 FZ7JDQ.dll,f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\GW54GT.bat
| MD5 | cf65d4687c41648679c9cdcb24a0e824 |
| SHA1 | f3966ccd310aba1e6161015f6cf6c04ccb005c0f |
| SHA256 | 95e0322d029d6cda1d65a9def576455be66a7520f14fd2eabcecf1f5ddeec5e1 |
| SHA512 | e1f2bf2156459b6c5c54bdcf1ac9e86d00d4d8f181d3ae5cf0bd890e683fc19d7c6d7aa10ae826903cdd46aaae9dc4bcd2ee709e5b6343401d002f841ebb1d25 |
C:\Users\Admin\AppData\Local\Temp\K4CFQY
| MD5 | 4263cc10f04dc0aa11486669da00d9b2 |
| SHA1 | 84276ef5f7f2afb0f41c92f60eb5a75b8e234add |
| SHA256 | f42cc8f1b5c5242e53ec1243ae4e2af167a7b2722cf040944e4289ee5aec2c16 |
| SHA512 | 912964b813c348550d8dc2e8dde4f9dcce9715bddf0d6b6dcc56f8bf9c96e387c1d97dd0b73b24691acec14ad03747e7d8477afeed8ff5767605a9c80e95c629 |
C:\Users\Admin\AppData\Local\Temp\FZ7JDQ.dll
| MD5 | 5d96f1a31b68f6449fbd50457b14e280 |
| SHA1 | 8db7c9989062797441b69eebd1f2cd07e2199a22 |
| SHA256 | cfbb6eb60214fcccb2a3e868b4ff6b4ccceecffa50057582be87c4c9f3216c4a |
| SHA512 | 2ea1ce39ae4c8a9d4620013d0919311dcb8c9e3958991d4bf4059dfd99e3a3d4e9396a07ae73d7a983e2c0d6cb4f031418d62e1ab5729fe4303b4b1d722bfaa7 |
memory/1420-15-0x000002138C5B0000-0x000002138C5D1000-memory.dmp
memory/1420-16-0x000000006D7C0000-0x000000006D81B000-memory.dmp