strela | caddd01ccadc4f1bd35a7b5e8c211f8249bf7bd412ce2640449fa9ace362b733

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/09/2023, 07:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

212372202415095.js
Size

5.0MB
MD5

ed0918daa5b1410fe759e57117006eaf
SHA1

2db83c1bc823a2591061fed030bc01cd82938ea8
SHA256

caddd01ccadc4f1bd35a7b5e8c211f8249bf7bd412ce2640449fa9ace362b733
SHA512

720ba09684ee63856e86c40fbe2aafa514a5f1674b026060070e867b555e7e41561801b90559e280bcbc9efb0db20d52062955d7a831cac4bc87237038681653
SSDEEP

24576:b81ojxRnMT6s3UgT17O7pcg3JdWe74xfIflkCPBgUivD2fN3uxA9Arv1FgpWHoxQ:jR4DTxbRifNLzdb7W6vyrJd2UbUo

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

193.109.85.77

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 1 IoCs

pid	Process
2092	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2092	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2652	2196	wscript.exe	28
PID 2196 wrote to memory of 2652	2196	wscript.exe	28
PID 2196 wrote to memory of 2652	2196	wscript.exe	28
PID 2652 wrote to memory of 2644	2652	cmd.exe	30
PID 2652 wrote to memory of 2644	2652	cmd.exe	30
PID 2652 wrote to memory of 2644	2652	cmd.exe	30
PID 2652 wrote to memory of 3028	2652	cmd.exe	31
PID 2652 wrote to memory of 3028	2652	cmd.exe	31
PID 2652 wrote to memory of 3028	2652	cmd.exe	31
PID 2652 wrote to memory of 2092	2652	cmd.exe	32
PID 2652 wrote to memory of 2092	2652	cmd.exe	32
PID 2652 wrote to memory of 2092	2652	cmd.exe	32
PID 2652 wrote to memory of 2092	2652	cmd.exe	32
PID 2652 wrote to memory of 2092	2652	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\212372202415095.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\212372202415095.js" "C:\Users\Admin\AppData\Local\Temp\\soundlamentable.bat" && "C:\Users\Admin\AppData\Local\Temp\\soundlamentable.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\findstr.exe
    findstr /V jamarm ""C:\Users\Admin\AppData\Local\Temp\\soundlamentable.bat""
    3⤵
    PID:2644
- - C:\Windows\system32\certutil.exe
    certutil -f -decode quillservant trampsaw.dll
    3⤵
    PID:3028
- - C:\Windows\system32\regsvr32.exe
    regsvr32 trampsaw.dll
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\quillservant

Filesize
4.9MB

MD5
334dc2144d6553e31bbefaa59420d207

SHA1
c1a7a29af63b25ed529a7a151d25882a0a21f4ee

SHA256
ae064748ae5da678357a74c5920aa73a70559ce6d3984f279cfcd1742cf8aa11

SHA512
52e40c39bb193cfdb247ad9ad92f7fea33a06e17deaf841a212a4a3b8158b1af2ab546c1aaa63fd0213ea49b7d121be1011aecb4dce396401004368ff2009351

Download Submit
C:\Users\Admin\AppData\Local\Temp\soundlamentable.bat

Filesize
5.0MB

MD5
ed0918daa5b1410fe759e57117006eaf

SHA1
2db83c1bc823a2591061fed030bc01cd82938ea8

SHA256
caddd01ccadc4f1bd35a7b5e8c211f8249bf7bd412ce2640449fa9ace362b733

SHA512
720ba09684ee63856e86c40fbe2aafa514a5f1674b026060070e867b555e7e41561801b90559e280bcbc9efb0db20d52062955d7a831cac4bc87237038681653

Download Submit
C:\Users\Admin\AppData\Local\Temp\soundlamentable.bat

Filesize
5.0MB

MD5
ed0918daa5b1410fe759e57117006eaf

SHA1
2db83c1bc823a2591061fed030bc01cd82938ea8

SHA256
caddd01ccadc4f1bd35a7b5e8c211f8249bf7bd412ce2640449fa9ace362b733

SHA512
720ba09684ee63856e86c40fbe2aafa514a5f1674b026060070e867b555e7e41561801b90559e280bcbc9efb0db20d52062955d7a831cac4bc87237038681653

Download Submit
C:\Users\Admin\AppData\Local\Temp\trampsaw.dll

Filesize
3.7MB

MD5
a05064e41e8e855da6aebe400cf072b1

SHA1
1b92e47de4ab4f7cbbd283483a0a24505487dc07

SHA256
6834f24292b0aed03c62c7ed6360b88dac93ba19400930170d11437d506c8da0

SHA512
f2bdb3fe3438393e5e10c8deaf2d9aa5e40cfd6582b25f2b3dcb6e266d9fed80d9814d4d7108d04896bb046153b5750451cec35c4f16e46a2a8aace1c4f059ff

Download Submit
\Users\Admin\AppData\Local\Temp\trampsaw.dll

Filesize
3.7MB

MD5
a05064e41e8e855da6aebe400cf072b1

SHA1
1b92e47de4ab4f7cbbd283483a0a24505487dc07

SHA256
6834f24292b0aed03c62c7ed6360b88dac93ba19400930170d11437d506c8da0

SHA512
f2bdb3fe3438393e5e10c8deaf2d9aa5e40cfd6582b25f2b3dcb6e266d9fed80d9814d4d7108d04896bb046153b5750451cec35c4f16e46a2a8aace1c4f059ff

Download Submit
memory/2092-7231-0x00000000001B0000-0x00000000001D1000-memory.dmp

Filesize
132KB

Download
memory/2092-7232-0x000000006D7C0000-0x000000006DB70000-memory.dmp

Filesize
3.7MB

Download
memory/2092-7233-0x00000000001B0000-0x00000000001D1000-memory.dmp

Filesize
132KB

Download