Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
05-09-2023 12:59
Static task
static1
Behavioral task
behavioral1
Sample
Strela.js
Resource
win7-20230831-en
General
-
Target
Strela.js
-
Size
3.9MB
-
MD5
2c87dd2b3fc3d243a06bf947f4c7d7ac
-
SHA1
be2acdaee1128946a1eec5a449f8ed6f21e06759
-
SHA256
506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba
-
SHA512
ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77
-
SSDEEP
24576:miLxXraB4Ze8MYp39KlgOS+j2SrM+2RpgGsIh0GYDDRV2GbnFEcmNIMHTXkE/71K:TLJne0zSzd2aU4Gl0lSXkEDblUbUW
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2792 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
regsvr32.exepid process 2792 regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 2132 wrote to memory of 1452 2132 wscript.exe cmd.exe PID 2132 wrote to memory of 1452 2132 wscript.exe cmd.exe PID 2132 wrote to memory of 1452 2132 wscript.exe cmd.exe PID 1452 wrote to memory of 2640 1452 cmd.exe findstr.exe PID 1452 wrote to memory of 2640 1452 cmd.exe findstr.exe PID 1452 wrote to memory of 2640 1452 cmd.exe findstr.exe PID 1452 wrote to memory of 2932 1452 cmd.exe certutil.exe PID 1452 wrote to memory of 2932 1452 cmd.exe certutil.exe PID 1452 wrote to memory of 2932 1452 cmd.exe certutil.exe PID 1452 wrote to memory of 2792 1452 cmd.exe regsvr32.exe PID 1452 wrote to memory of 2792 1452 cmd.exe regsvr32.exe PID 1452 wrote to memory of 2792 1452 cmd.exe regsvr32.exe PID 1452 wrote to memory of 2792 1452 cmd.exe regsvr32.exe PID 1452 wrote to memory of 2792 1452 cmd.exe regsvr32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Strela.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\Strela.js" "C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat" && "C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /V fretfulbored ""C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat""3⤵
-
C:\Windows\system32\certutil.execertutil -f -decode bedroomsalty stationstep.dll3⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 stationstep.dll3⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bedroomsaltyFilesize
3.8MB
MD5e8de3c21be4f6092503dba69d977a00c
SHA15c9a0e5a437f1555e2b636e24ae6c1e26255d8a6
SHA2566fe373e7dd6dd01950f617043c2f96cc0d1e10dcc9051d0db0f5641610098b0b
SHA5123b3ba1be0451e055a7684f346dedcad0f2b61e22f946a671f5aa37aebedd6e411b10eb1636154d4c75cec428db7aaf30f0a24b93a816a46aded837c2eedf52c7
-
C:\Users\Admin\AppData\Local\Temp\fetchfrogs.batFilesize
3.9MB
MD52c87dd2b3fc3d243a06bf947f4c7d7ac
SHA1be2acdaee1128946a1eec5a449f8ed6f21e06759
SHA256506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba
SHA512ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77
-
C:\Users\Admin\AppData\Local\Temp\fetchfrogs.batFilesize
3.9MB
MD52c87dd2b3fc3d243a06bf947f4c7d7ac
SHA1be2acdaee1128946a1eec5a449f8ed6f21e06759
SHA256506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba
SHA512ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77
-
C:\Users\Admin\AppData\Local\Temp\stationstep.dllFilesize
2.8MB
MD51ab0f628aa9c218d87af4a836ca48d28
SHA1ba54f3344447217be60bfa62bfe7a610abb89091
SHA256f76a1cf204203e39633989fa428ab9c9b29a93276cc98c3df177d6aef34f0988
SHA512f723735d4cf16bc78596d529a2c951014306ba509da1a46393527f3a30222b718ac19fd93dd6e6274249722609fb784fa10d1cb4ff66e0c68682ab015196d0e7
-
\Users\Admin\AppData\Local\Temp\stationstep.dllFilesize
2.8MB
MD51ab0f628aa9c218d87af4a836ca48d28
SHA1ba54f3344447217be60bfa62bfe7a610abb89091
SHA256f76a1cf204203e39633989fa428ab9c9b29a93276cc98c3df177d6aef34f0988
SHA512f723735d4cf16bc78596d529a2c951014306ba509da1a46393527f3a30222b718ac19fd93dd6e6274249722609fb784fa10d1cb4ff66e0c68682ab015196d0e7
-
memory/2792-5648-0x0000000000140000-0x0000000000161000-memory.dmpFilesize
132KB
-
memory/2792-5647-0x000000006D7C0000-0x000000006DA9E000-memory.dmpFilesize
2.9MB