strela | 0dc793ea91ef452d4876409d24bb4b162528c2297052482b489f98a017834537

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

287212633216314.js
Size

354KB
MD5

cd856039e0eadf0f5dfdcd036cb3edc9
SHA1

b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256

805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512

a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc
SSDEEP

6144:Gdk9VWlGxMJNlP6QDJxv6HXYUKEZ1O59CNXAfAQmKybf7tmgD:WuWIMJX6QH6HX1KEZ1xK65mgD

Score

10^/10

strela stealer

Malware Config

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2272 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2272	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.execmd.execmd.exe

description	pid	process	target process
PID 3204 wrote to memory of 2484	3204	wscript.exe	cmd.exe
PID 3204 wrote to memory of 2484	3204	wscript.exe	cmd.exe
PID 2484 wrote to memory of 1836	2484	cmd.exe	findstr.exe
PID 2484 wrote to memory of 1836	2484	cmd.exe	findstr.exe
PID 2484 wrote to memory of 4900	2484	cmd.exe	certutil.exe
PID 2484 wrote to memory of 4900	2484	cmd.exe	certutil.exe
PID 2484 wrote to memory of 2632	2484	cmd.exe	cmd.exe
PID 2484 wrote to memory of 2632	2484	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2272	2632	cmd.exe	rundll32.exe
PID 2632 wrote to memory of 2272	2632	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\findstr.exe
findstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""
3⤵
PID:1836

C:\Windows\system32\certutil.exe
certutil -f -decode zephyrhome tickettoys.dll
3⤵
PID:4900

C:\Windows\system32\cmd.exe
cmd /c rundll32 tickettoys.dll,m
3⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\rundll32.exe
rundll32 tickettoys.dll,m
4⤵
- Loads dropped DLL
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\obtainfaint.bat

Filesize
354KB

MD5
cd856039e0eadf0f5dfdcd036cb3edc9

SHA1
b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd

SHA256
805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16

SHA512
a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tickettoys.dll

Filesize
257KB

MD5
4cc26a2da2049ff4509091cdbf004c5e

SHA1
0bba8d2338b7db224047760a27c57afa02748f05

SHA256
3ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312

SHA512
cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de

Download Submit
C:\Users\Admin\AppData\Local\Temp\zephyrhome

Filesize
284KB

MD5
45bb4703b30d265f474073b79d575f7b

SHA1
e1e96b924e135ab196a858705d7d0d7faeb79089

SHA256
f23ad20f62511db7458b14aa5e26cdd310b9274a297f1cb87772ff5798fc061c

SHA512
92b519f6a9281aa082d178ac4811988955ddb317684b6becc8bb73b57e129dff977803646d9917a83c5b07114080213d5297529bbe6dc99fa03d3efc19b3cfda

Download Submit
memory/2272-713-0x00000248580F0000-0x0000024858113000-memory.dmp

Filesize
140KB

Download
memory/2272-712-0x00007FFCFCD00000-0x00007FFCFCD48000-memory.dmp

Filesize
288KB

Download
memory/2272-714-0x00000248580F0000-0x0000024858113000-memory.dmp

Filesize
140KB

Download