strela | 90fdd5813bf115673f5220b77dc68f450cac9f467700b6f1abaeb5260ccd771b

Analysis

max time kernel
91s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6639950729836.js
Size

74.0MB
MD5

e5a55b225ad42f2b7e478a984655a2c2
SHA1

1885af9595e2b236b11f7a9c5f772ccbf1005afc
SHA256

e007dd656023560ad7f1552a6c912a94a7a0e91e17f2394bcd2a634b6cf68bb8
SHA512

b99f9d112f0af34903b66bfc82f1ee28119f420ac0c138c7870177439c179eb2ab484360c8ac50575ec58c9af9a2fdd73bb7f091281224a43b8fbb9689301e7e
SSDEEP

24576:kDSFysLyxcKqk5PZthZD39wSfF3qIbWeO5+81ZMJx4IxUt9JQi:2xg

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

91.215.85.209

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
3964	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4400	2904	wscript.exe	87
PID 2904 wrote to memory of 4400	2904	wscript.exe	87
PID 4400 wrote to memory of 1344	4400	cmd.exe	90
PID 4400 wrote to memory of 1344	4400	cmd.exe	90
PID 4400 wrote to memory of 3956	4400	cmd.exe	100
PID 4400 wrote to memory of 3956	4400	cmd.exe	100
PID 4400 wrote to memory of 3964	4400	cmd.exe	101
PID 4400 wrote to memory of 3964	4400	cmd.exe	101

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\6639950729836.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\6639950729836.js" "C:\Users\Admin\AppData\Local\Temp\\sortacoustics.cmd" && "C:\Users\Admin\AppData\Local\Temp\\sortacoustics.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\findstr.exe
    findstr /V exerciseashamed ""C:\Users\Admin\AppData\Local\Temp\\sortacoustics.cmd""
    3⤵
    PID:1344
- - C:\Windows\system32\certutil.exe
    certutil -f -decode puncturesmell mereyoung.dll
    3⤵
    PID:3956
- - C:\Windows\system32\rundll32.exe
    rundll32 mereyoung.dll,h
    3⤵
    - Loads dropped DLL
    PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mereyoung.dll

Filesize
787KB

MD5
64af84f87b19f1436e8467e33303a826

SHA1
b1b60a903c552e77a93ddb5951a61d94bdb7d839

SHA256
bb548129dac325acef8b96059fbb38e0658b3d20cb5f30c173c5e0e6cdef1911

SHA512
5b22739767d1391462914a9bb4198255edfe5047ded5f2f46de7ef11ad0ebfa270d30480288c1a15937b0db6ef86cd7817830617b31c741c3a751536752be0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mereyoung.dll

Filesize
787KB

MD5
64af84f87b19f1436e8467e33303a826

SHA1
b1b60a903c552e77a93ddb5951a61d94bdb7d839

SHA256
bb548129dac325acef8b96059fbb38e0658b3d20cb5f30c173c5e0e6cdef1911

SHA512
5b22739767d1391462914a9bb4198255edfe5047ded5f2f46de7ef11ad0ebfa270d30480288c1a15937b0db6ef86cd7817830617b31c741c3a751536752be0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\puncturesmell

Filesize
1.0MB

MD5
1d4890e8fc46d0160ee2fea02207d4e6

SHA1
0e29e54facc9eebac98a79b91d7c509a3c39de96

SHA256
d367a6822edd01edbc5162df969c45642f0172758c0fdba5da498a7139846826

SHA512
2bd1334f20a40215d7979ae75bbea5ced855544317841373acc032b8275efdff9ffe1e75ccc1aaa79cb498f563b717300343e26f194e0f959ae9b4b81f2cab7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sortacoustics.cmd

Filesize
74.0MB

MD5
e5a55b225ad42f2b7e478a984655a2c2

SHA1
1885af9595e2b236b11f7a9c5f772ccbf1005afc

SHA256
e007dd656023560ad7f1552a6c912a94a7a0e91e17f2394bcd2a634b6cf68bb8

SHA512
b99f9d112f0af34903b66bfc82f1ee28119f420ac0c138c7870177439c179eb2ab484360c8ac50575ec58c9af9a2fdd73bb7f091281224a43b8fbb9689301e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sortacoustics.cmd

Filesize
74.0MB

MD5
e5a55b225ad42f2b7e478a984655a2c2

SHA1
1885af9595e2b236b11f7a9c5f772ccbf1005afc

SHA256
e007dd656023560ad7f1552a6c912a94a7a0e91e17f2394bcd2a634b6cf68bb8

SHA512
b99f9d112f0af34903b66bfc82f1ee28119f420ac0c138c7870177439c179eb2ab484360c8ac50575ec58c9af9a2fdd73bb7f091281224a43b8fbb9689301e7e

Download Submit
memory/3964-175-0x0000026B338F0000-0x0000026B33911000-memory.dmp

Filesize
132KB

Download
memory/3964-176-0x000000006D7C0000-0x000000006D88D000-memory.dmp

Filesize
820KB

Download
memory/3964-177-0x0000026B338F0000-0x0000026B33911000-memory.dmp

Filesize
132KB

Download