Analysis
-
max time kernel
11s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 16:19
Static task
static1
Behavioral task
behavioral1
Sample
26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$TEMP.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$TEMP.dll
Resource
win10v2004-20240802-en
General
-
Target
26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe
-
Size
39.8MB
-
MD5
e872bca75b21b9fd7ea0ccd762d399d9
-
SHA1
aac2a9bf68f87fc237ac121085328071e108ed2a
-
SHA256
26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af
-
SHA512
3bc06f126d92bbd6e8f8f19a90632ba9e0b3232a62ec94db021ffa987efe48c63df671ad47805e43f5878916a1f7ec8ede5808d38cb641737ebcbad1c62535ef
-
SSDEEP
786432:2aiqD9o7TuCV0GvGEpjWWHAxsD8TgdyCCD06KsEKjwUzAqhyNjg797+zr2sZW:2ko7J5eoE4WqTm0ABwY7hy9gp7+X2sk
Malware Config
Signatures
-
Detects Strela Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000018f94-17.dat family_strela -
Loads dropped DLL 13 IoCs
pid Process 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\gdiplus.dll 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe File created C:\Windows\SysWOW64\msvcr71.dll 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe File created C:\Windows\SysWOW64\mfc71.dll 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe 2452 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe"C:\Users\Admin\AppData\Local\Temp\26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5dcf8677120ea4333339c9b1ae37a0f55
SHA1f52d1fb8fc99c60dfc5f876d310e804da4ec3d1a
SHA2566eab0471453c9848f8a15a10f0610b7026a1d2c583d5e852e341f18f580ebfb8
SHA5124f7272dc0916456871fedde32fb675b1c0fd2f144df604e154eed3ff3fb7031a361c11a22713e8931efbdba0ed03305d6ee12d74abd83b3445ef1515ed8ddba4
-
Filesize
1KB
MD5872ac22f6b5301d525c1040e3cd93c41
SHA173413335b0bfd7c1a9b43dc2400f0042a8bc7a2b
SHA256b69b9fb9c9e6a221b4c575a46d420106abdbfa36bc9c1efcfcd30567289ccff8
SHA512d854fe0ec639cbcb0be718546fa4be097c39f252708aea7759a84fecdc391017e4ce43faf05bae6d9c12159142fabd486521bae3f13af79c30e9fa193d46290c
-
Filesize
120KB
MD5f2f4b4f2985a1a6a45fd370c604f76bc
SHA1b9c75014d8d1119886de917f9ba68e3638f6e21c
SHA256fe5e20bfb1071901e3adfa90f6c0fae4e4428e5ec85ed5a69f78f7567cc16157
SHA5125fd4fe56818da4e1a39ed09196264f403048ecf4bd981f27e97ef3a66dc014655097c5b8e3dbb1460dfedcf90f8945ecf07d9a57d5cb4e4662daf05e3dc07a9d
-
Filesize
42KB
MD5beca78fa9b105c60b39f3cb567e6f5d0
SHA12e31bc180c59adc802bf218eb776db56846aaa43
SHA256d4f922feb8257e85c0476ce7a1b0b0abfd9fc9f30406c789b30f17ddac745260
SHA512434cbd3cc6441a330f26b70e22062f5057e27aead828ec8aca45b5b40d9ab4184d67480db3c8b9c93ef47e51a5f05d0445cf768106a92cbad50daeb78be02f38
-
Filesize
5.8MB
MD5bad139a2d8491896ce10ee8e4e55a921
SHA14346289950aa9b547d96553ced684b6a05af0234
SHA256363e9c63b62d61ff3dd5f3cb1de5d9c2320c95787ae0a30035c19f01adebb0c3
SHA5127ba1908909237986c573244743f4632dde72da9f708c151879102633f7bd7cffbaf1f79b3bb3797952304248aae9dd984f6a07a9dbf6433cc5b2d7f72ee80e15
-
Filesize
792KB
MD58fea8fd177034b52e6a5886fb5e780bd
SHA199f511388a2420d53b8406baed48ba550842eaad
SHA256546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de
SHA5125d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696
-
Filesize
3KB
MD552dc0884fadcf8906b614a82ea2abcc5
SHA10204f10246b4769363f91701e81e289a541b0716
SHA2562e0500a0cd75c23019b10f8c920c50a1ba49cc1bb43086d2a289051d805e600d
SHA5120f97c67a13a08c404cfa3c87cc04dfa85ab3fc3137371136db998171b50b0653956262c5b764b6925764d7e544de9293e16ed365b4cd06b6d55cfdd37f968ba9
-
Filesize
5KB
MD5db40175690a780def9e6c6327654be11
SHA1703c074a625fad245300fb97657f640e91ce36d6
SHA25608a4ab71158afdaea82ae1f5670ae87b0b03facd606db26d4861c178b630cec2
SHA51217012e166365a48a7dcc92aa9f4d67e6fafa347eb637f434d99a4f0f62fd6a438eb21e98aff18f04cc56e3d91e97022a2bf4ef35278d9d15146dbeab6d3c5c7a
-
Filesize
231KB
MD50a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
Filesize
1.0MB
MD51fd3f9722119bdf7b8cff0ecd1e84ea6
SHA19a4faa258b375e173feaca91a8bd920baf1091eb
SHA256385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823
SHA512109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6
-
Filesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e