Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 22:51

General

  • Target

    CB_setup.exe

  • Size

    21.4MB

  • MD5

    193642adb57aec509ba3fd698a09efd2

  • SHA1

    d9166b6ac1c069f028188357ff40256d7395868c

  • SHA256

    ae1c457e4968758551c0e99ce62cb87c02b6c134afda6d1d700da3b37a2d7610

  • SHA512

    507c9698f6d9b2def0f60641b5eeef5a13a55f0a492af62abae7345b9b01d3cef490a689ff98fe899b2188cb4d3d74b1a655dccf370f31d01ca7fbca2041bc5e

  • SSDEEP

    393216:Es5Q1AuX1FFetKFOfzJyb2omyUw7RLo4WRsyo1fL79UXPj5MXHQqkJGlF:Es52AuXHQagzJk+yUwBo5oHUXPFkQ3K

Malware Config

Signatures

  • Detects Strela Stealer payload 2 IoCs
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 14 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CB_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\CB_setup.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsjD0BF.tmp\Banner.dll

    Filesize

    3KB

    MD5

    4a90d392c9da5f0b90a75baf67c37e4c

    SHA1

    73e875dafefaa16def7f77a428a5c131b7b9837e

    SHA256

    045bd54299e1cf2d9e68f64e233f30c8a2c455d72645d4a4a9ca8874a7c510ac

    SHA512

    82014b8fb94da3d158ef68a2488eb594bcf27d31132b4bbf2f4c441d00ed9d374d78cd013a1af6c59fd03716bf5c429cddf77c43e1e171df24086b70b7b9a13d

  • C:\Users\Admin\AppData\Local\Temp\nsjD0BF.tmp\MyLangDLLS3.dll

    Filesize

    5KB

    MD5

    7050cd061f2ddac010e3382a57d5ede4

    SHA1

    a0a1e5e89fb230dfa3c76ee15b0e51abead32282

    SHA256

    dfca83b19ee2fe36479e9c1ceef2eb45b08851236dcf7a958141b1af03d27a21

    SHA512

    5f8472dd37a1cc1aecad78610b71670989715a15f8911e658ce7da4c4b2d428f866c9e61df30f6660d91dd365b1c055676ef3a3f6ec77d826ef11175a713455e

  • C:\Users\Admin\AppData\Local\Temp\nsjD0BF.tmp\NSIS_SkinCrafter_Plugin.dll

    Filesize

    5.8MB

    MD5

    2e13e03b7cf2d8c8338bbc3d29fd3e07

    SHA1

    173e6e67c5315474765dcd303b3214d5600c48ea

    SHA256

    ea1552de423ed1768bace344d9a07bf529845c75fe6fc6ce3c4ba91d4aae5409

    SHA512

    94220a07aea2f4a45ef6b7566baba5a9ce73e70236bf97fc2489bee50b662f3fd05824d7804dd544eef85d73e69091aaae5de3094f0866bf51521024eb3d168d

  • C:\Users\Admin\AppData\Local\Temp\nsjD0BF.tmp\Plugin.dll

    Filesize

    2.1MB

    MD5

    67ad13de4800015f22cffaa96e1cdd41

    SHA1

    542fb5baeea3f3b7ebdc70061790612ae9bfd0dc

    SHA256

    ea847b3e559321f8825d4339ad503b8082546ad7f9ae1d8373914f2ffaf3e6a2

    SHA512

    c2f776d6b4091dcc241ca25d3d1134f7487f6ffd1e58b6108d3dae655cdb949c3ded8a03a952ec33947c61cb0213fde25b79992ca86327e380f30140a881a79b

  • C:\Users\Admin\AppData\Local\Temp\nsjD0BF.tmp\SkinCrafter.dll

    Filesize

    792KB

    MD5

    8fea8fd177034b52e6a5886fb5e780bd

    SHA1

    99f511388a2420d53b8406baed48ba550842eaad

    SHA256

    546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

    SHA512

    5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

  • C:\Users\Admin\AppData\Local\Temp\nsjD0BF.tmp\System.dll

    Filesize

    11KB

    MD5

    959ea64598b9a3e494c00e8fa793be7e

    SHA1

    40f284a3b92c2f04b1038def79579d4b3d066ee0

    SHA256

    03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

    SHA512

    5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

  • C:\Users\Admin\AppData\Local\Temp\nsjD0BF.tmp\UserInfo.dll

    Filesize

    4KB

    MD5

    d16e06c5de8fb8213a0464568ed9852f

    SHA1

    d063690dc0d2c824f714acb5c4bcede3aa193f03

    SHA256

    728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531

    SHA512

    60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a

  • C:\Users\Admin\AppData\Local\Temp\version_free.ini

    Filesize

    15KB

    MD5

    80bc7fa432a388ae762c0448abfaf3f1

    SHA1

    f268dd816fb9a102b49389420ab7f80b4ac44f8a

    SHA256

    69efb45ca18fe1c109e6a24ff4f8c5e0a17ff8b5e196710046bdd0d4917e25f0

    SHA512

    adcab8a19d205919aa13a226b45d8e64e0964bff9a7925730f66c37437411cc6573298574b27d4330224987fc23d74b2a000845e370a28d15fe920f8b6304bd4

  • C:\Windows\SysWOW64\mfc71.dll

    Filesize

    1.0MB

    MD5

    1fd3f9722119bdf7b8cff0ecd1e84ea6

    SHA1

    9a4faa258b375e173feaca91a8bd920baf1091eb

    SHA256

    385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

    SHA512

    109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

  • C:\Windows\SysWOW64\msvcr71.dll

    Filesize

    340KB

    MD5

    ca2f560921b7b8be1cf555a5a18d54c3

    SHA1

    432dbcf54b6f1142058b413a9d52668a2bde011d

    SHA256

    c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

    SHA512

    23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

  • memory/852-47-0x0000000005B40000-0x000000000610D000-memory.dmp

    Filesize

    5.8MB

  • memory/852-57-0x0000000006110000-0x00000000061DC000-memory.dmp

    Filesize

    816KB