Analysis

  • max time kernel
    119s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2023 12:59

General

  • Target

    Strela.js

  • Size

    3MB

  • MD5

    2c87dd2b3fc3d243a06bf947f4c7d7ac

  • SHA1

    be2acdaee1128946a1eec5a449f8ed6f21e06759

  • SHA256

    506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba

  • SHA512

    ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77

  • SSDEEP

    24576:miLxXraB4Ze8MYp39KlgOS+j2SrM+2RpgGsIh0GYDDRV2GbnFEcmNIMHTXkE/71K:TLJne0zSzd2aU4Gl0lSXkEDblUbUW

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Strela.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\Strela.js" "C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat" && "C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\system32\findstr.exe
        findstr /V fretfulbored ""C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat""
        3⤵
          PID:2640
        • C:\Windows\system32\certutil.exe
          certutil -f -decode bedroomsalty stationstep.dll
          3⤵
            PID:2932
          • C:\Windows\system32\regsvr32.exe
            regsvr32 stationstep.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2792

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bedroomsalty
        Filesize

        3MB

        MD5

        e8de3c21be4f6092503dba69d977a00c

        SHA1

        5c9a0e5a437f1555e2b636e24ae6c1e26255d8a6

        SHA256

        6fe373e7dd6dd01950f617043c2f96cc0d1e10dcc9051d0db0f5641610098b0b

        SHA512

        3b3ba1be0451e055a7684f346dedcad0f2b61e22f946a671f5aa37aebedd6e411b10eb1636154d4c75cec428db7aaf30f0a24b93a816a46aded837c2eedf52c7

      • C:\Users\Admin\AppData\Local\Temp\fetchfrogs.bat
        Filesize

        3MB

        MD5

        2c87dd2b3fc3d243a06bf947f4c7d7ac

        SHA1

        be2acdaee1128946a1eec5a449f8ed6f21e06759

        SHA256

        506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba

        SHA512

        ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77

      • C:\Users\Admin\AppData\Local\Temp\fetchfrogs.bat
        Filesize

        3MB

        MD5

        2c87dd2b3fc3d243a06bf947f4c7d7ac

        SHA1

        be2acdaee1128946a1eec5a449f8ed6f21e06759

        SHA256

        506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba

        SHA512

        ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77

      • C:\Users\Admin\AppData\Local\Temp\stationstep.dll
        Filesize

        2MB

        MD5

        1ab0f628aa9c218d87af4a836ca48d28

        SHA1

        ba54f3344447217be60bfa62bfe7a610abb89091

        SHA256

        f76a1cf204203e39633989fa428ab9c9b29a93276cc98c3df177d6aef34f0988

        SHA512

        f723735d4cf16bc78596d529a2c951014306ba509da1a46393527f3a30222b718ac19fd93dd6e6274249722609fb784fa10d1cb4ff66e0c68682ab015196d0e7

      • \Users\Admin\AppData\Local\Temp\stationstep.dll
        Filesize

        2MB

        MD5

        1ab0f628aa9c218d87af4a836ca48d28

        SHA1

        ba54f3344447217be60bfa62bfe7a610abb89091

        SHA256

        f76a1cf204203e39633989fa428ab9c9b29a93276cc98c3df177d6aef34f0988

        SHA512

        f723735d4cf16bc78596d529a2c951014306ba509da1a46393527f3a30222b718ac19fd93dd6e6274249722609fb784fa10d1cb4ff66e0c68682ab015196d0e7

      • memory/2792-5648-0x0000000000140000-0x0000000000161000-memory.dmp
        Filesize

        132KB

      • memory/2792-5647-0x000000006D7C0000-0x000000006DA9E000-memory.dmp
        Filesize

        2MB