Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 09:36

General

  • Target

    6ee09985aad01926c5ec335e48c36950N.exe

  • Size

    1.9MB

  • MD5

    6ee09985aad01926c5ec335e48c36950

  • SHA1

    e21abc81cb0516782168eda2bc1706f7bf1a3614

  • SHA256

    49a7d26eb8022c5edc59707b013f38d41ba8838f987e676f6385c3d46c7ab998

  • SHA512

    dafa5a6b7a4408f2e3d9b920ce4e03e45638ca767cb9dd585d7417bb6ce11b092287f08c7b97e9f8c9d2af7cdb6585dcb3c2bec36afdc22c460a5f0299e36a1a

  • SSDEEP

    49152:Q8t9VWdeTu1rsEJHCPwVmb8AKe3kAIugoiau0zZEjafp:Q8qeTUsRP+AKSZzJR

Malware Config

Signatures

  • Detects Strela Stealer payload 1 IoCs
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 30 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe
    "C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
      "C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2124
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3104
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a9681305-690b-8645-8931-02c9e7b027a5}\ssmirrdr.inf" "9" "47bd61347" "00000000000000E8" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\common files\supportdotcom\rang"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:4396
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:10ef38c379e44436:ssmirrdr:2.0.0.0:ssmirr_driver," "47bd61347" "00000000000000E8"
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:3632
  • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
    "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
      "ssrangui.exe" -start -ec 1 2764248246 -agentFriendlyName 'ATS Agent'
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      PID:4448
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:5164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

      Filesize

      16KB

      MD5

      38377a28f213b6bb042e60e4b457f516

      SHA1

      0499b92faa65cd1d00640715c998d2500ff4eebc

      SHA256

      ca67f164a2ee8be79fb156ac3cdbc154ea8a761bf49e88197c4c07a3a325a2a9

      SHA512

      e522e4a4157849612017af61b8e6db94c67503872a76fdfa1e342908f9292f296e7e462b8bf02155028e10e1860288bc5acb5490fa7b3136b19d6b8b68fe3319

    • C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt

      Filesize

      251KB

      MD5

      478f2561ec0658265a01993e00ee89f2

      SHA1

      3845dc7fd32fb08600ebd5902bc1bd7e7bfa63a1

      SHA256

      d42fa29fd8a06ea428d041a26d4e6831bbf8538f83032e922287832c39b06b86

      SHA512

      82636f4317d561a38134f919d6197abbeea56c2a2c750350148b54fb5b864babd8711876d6e322ffdd12489305ca96b9d209335998b922d2c9e4f198ae84f470

    • C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.45].log

      Filesize

      648B

      MD5

      3d44744f7dda4a094b90cff3440b459b

      SHA1

      aa82d2021cf8dd5c209d8b6b230bfd1e85d16682

      SHA256

      5f8ae2ce6ea6355614c263ea5ff63a797a3201decddd39671c67e51057f618ea

      SHA512

      74ac16a4fbb3f45f8fe55c7abd0fb0ac1af0b33cbe29052ae5ae55ca0c9a8c6e2a6cd8d2940076ca71458660bf3722cc422b5b1324b19a08fe1c1f07e77f9f66

    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

      Filesize

      2.2MB

      MD5

      8e1f07c8ec91b5c63eccd0c6cb00a027

      SHA1

      89afb7d39ed1935f25f8c43b60ab2fdcba58447f

      SHA256

      d82c089a395db0691c1c845b68c1b1743de8985feb47ec5e03f0db80a5c1b195

      SHA512

      138f90453e58a34f53cbd7d1700fbc9377c4d67f55119df5198d5575a1ab07e2d00e51562c14d9f8f8120169f2d977948a06cb600ba16c5d53e141b76e39f497

    • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

      Filesize

      1.7MB

      MD5

      69d7734b204b81b646d0f8576e7dc8d6

      SHA1

      a37786dcab45c963d44a135db52b21177847508b

      SHA256

      24316fd026bcf76caa990e27e3dfd38126fa5b71763fa576ccab43cba6eafb2e

      SHA512

      0d93c3b9f664c36af3568484352aa09925cf04f9ccdf07bf7a1c7dbd791cbb98b8c18043c8220fce0c9b3defab90586a86d2cddf225980518a3b9e854026c79d

    • C:\Users\Admin\AppData\Local\Temp\nsdA818.tmp\System.dll

      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.dll

      Filesize

      31KB

      MD5

      28b26600204f79045eda8f7fd8ca3c86

      SHA1

      b9f19e36b80eb862370d99b466664380440af6d5

      SHA256

      5140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6

      SHA512

      aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1

    • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.sys

      Filesize

      9KB

      MD5

      1100066057fbf612b573efd3b21383f1

      SHA1

      f95db83ea936f1fe70583a4eca810da807167dfe

      SHA256

      894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d

      SHA512

      62850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8

    • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr-nt_amd64.cat

      Filesize

      8KB

      MD5

      31f007d8f2de5e945dc2e2234628bc37

      SHA1

      76fb2cd66c869bae25589298a971b458bd06c18e

      SHA256

      a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973

      SHA512

      170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18

    • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr.inf

      Filesize

      2KB

      MD5

      6c4423d9cb9921a25de76b2d9f390f74

      SHA1

      5abdfd7b7d0e454a6ac117c90077b3379e48d666

      SHA256

      3cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82

      SHA512

      9f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c