strela | 0dc793ea91ef452d4876409d24bb4b162528c2297052482b489f98a017834537

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-01-2024 03:05

Target

287212633216314.js
Size

354KB
MD5

cd856039e0eadf0f5dfdcd036cb3edc9
SHA1

b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256

805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512

a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc
SSDEEP

6144:Gdk9VWlGxMJNlP6QDJxv6HXYUKEZ1O59CNXAfAQmKybf7tmgD:WuWIMJX6QH6HX1KEZ1xK65mgD

Score

10^/10

strela stealer

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

692 rundll32.exe
692 rundll32.exe
692 rundll32.exe
692 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.execmd.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 2236	3048	wscript.exe	cmd.exe
PID 3048 wrote to memory of 2236	3048	wscript.exe	cmd.exe
PID 3048 wrote to memory of 2236	3048	wscript.exe	cmd.exe
PID 2236 wrote to memory of 904	2236	cmd.exe	findstr.exe
PID 2236 wrote to memory of 904	2236	cmd.exe	findstr.exe
PID 2236 wrote to memory of 904	2236	cmd.exe	findstr.exe
PID 2236 wrote to memory of 2300	2236	cmd.exe	certutil.exe
PID 2236 wrote to memory of 2300	2236	cmd.exe	certutil.exe
PID 2236 wrote to memory of 2300	2236	cmd.exe	certutil.exe
PID 2236 wrote to memory of 2220	2236	cmd.exe	cmd.exe
PID 2236 wrote to memory of 2220	2236	cmd.exe	cmd.exe
PID 2236 wrote to memory of 2220	2236	cmd.exe	cmd.exe
PID 2220 wrote to memory of 692	2220	cmd.exe	rundll32.exe
PID 2220 wrote to memory of 692	2220	cmd.exe	rundll32.exe
PID 2220 wrote to memory of 692	2220	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\findstr.exe
findstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""
3⤵
PID:904

C:\Windows\system32\certutil.exe
certutil -f -decode zephyrhome tickettoys.dll
3⤵
PID:2300

C:\Windows\system32\cmd.exe
cmd /c rundll32 tickettoys.dll,m
3⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\rundll32.exe
rundll32 tickettoys.dll,m
4⤵
- Loads dropped DLL
PID:692

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\obtainfaint.bat

Filesize
354KB

MD5
cd856039e0eadf0f5dfdcd036cb3edc9

SHA1
b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd

SHA256
805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16

SHA512
a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tickettoys.dll

Filesize
257KB

MD5
4cc26a2da2049ff4509091cdbf004c5e

SHA1
0bba8d2338b7db224047760a27c57afa02748f05

SHA256
3ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312

SHA512
cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de

Download Submit
C:\Users\Admin\AppData\Local\Temp\zephyrhome

Filesize
344KB

MD5
ec27c9d32b638666b649301419776e16

SHA1
1480c2bbd1de5aeed98401dca0378917461b9cfb

SHA256
a3df024a2c70213924c7e13f2f891d5fbfe6d1d46057076cd53bef17cb78ad21

SHA512
b360f85b7b6e0795afe1f7ca69dd0a0172199ba80b332af00d5110be2bd584b3cb08df0dbba384b32f15ef98a67ed4f045dd3b372717ab142890a8c7ed893efa

Download Submit
memory/692-715-0x000007FEF7800000-0x000007FEF7848000-memory.dmp

Filesize
288KB

Download
memory/692-716-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/692-717-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download