strela | 26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af

Analysis

max time kernel
11s
max time network
22s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
03/08/2024, 17:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iplasetup.exe
Size

39.8MB
MD5

e872bca75b21b9fd7ea0ccd762d399d9
SHA1

aac2a9bf68f87fc237ac121085328071e108ed2a
SHA256

26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af
SHA512

3bc06f126d92bbd6e8f8f19a90632ba9e0b3232a62ec94db021ffa987efe48c63df671ad47805e43f5878916a1f7ec8ede5808d38cb641737ebcbad1c62535ef
SSDEEP

786432:2aiqD9o7TuCV0GvGEpjWWHAxsD8TgdyCCD06KsEKjwUzAqhyNjg797+zr2sZW:2ko7J5eoE4WqTm0ABwY7hy9gp7+X2sk

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001aab7-16.dat	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Executes dropped EXE 1 IoCs

pid	Process
528	enumsplitters.exe

Loads dropped DLL 23 IoCs

pid	Process
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr71.dll	iplasetup.exe
File created	C:\Windows\SysWOW64\mfc71.dll	iplasetup.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ipla\images\icons\3gp.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\custom.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\m4v.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mkv.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mov.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mpe.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\rmvb.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\avi.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\m2v.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\ogm.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\rm.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\3g2.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\asf.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\flv.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mka.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mpa.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\wmv.ico	iplasetup.exe
File opened for modification	C:\Program Files (x86)\ipla\TestFile.tst	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mp4.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mpeg.ico	iplasetup.exe
File created	C:\Program Files (x86)\ipla\images\icons\mpg.ico	iplasetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enumsplitters.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iplasetup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iplasetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iplasetup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe
3032	iplasetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 528	3032	iplasetup.exe	70
PID 3032 wrote to memory of 528	3032	iplasetup.exe	70
PID 3032 wrote to memory of 528	3032	iplasetup.exe	70

C:\Users\Admin\AppData\Local\Temp\iplasetup.exe
"C:\Users\Admin\AppData\Local\Temp\iplasetup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exe
  C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\InstallOptionsEx.dll

Filesize
120KB

MD5
f2f4b4f2985a1a6a45fd370c604f76bc

SHA1
b9c75014d8d1119886de917f9ba68e3638f6e21c

SHA256
fe5e20bfb1071901e3adfa90f6c0fae4e4428e5ec85ed5a69f78f7567cc16157

SHA512
5fd4fe56818da4e1a39ed09196264f403048ecf4bd981f27e97ef3a66dc014655097c5b8e3dbb1460dfedcf90f8945ecf07d9a57d5cb4e4662daf05e3dc07a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\Processes.dll

Filesize
56KB

MD5
dcf8677120ea4333339c9b1ae37a0f55

SHA1
f52d1fb8fc99c60dfc5f876d310e804da4ec3d1a

SHA256
6eab0471453c9848f8a15a10f0610b7026a1d2c583d5e852e341f18f580ebfb8

SHA512
4f7272dc0916456871fedde32fb675b1c0fd2f144df604e154eed3ff3fb7031a361c11a22713e8931efbdba0ed03305d6ee12d74abd83b3445ef1515ed8ddba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exe

Filesize
207KB

MD5
dd37efd8e6ee822e0293652ce251b2f6

SHA1
4135efa59abe911b1184389ec40115986bf6fe39

SHA256
41d3d54f60ab6103d7bc7a21812331ed592ba3d20c6ddf2b7d27a4c7c154fb02

SHA512
cdc0fa97c54e6de4e27695ca81a004ff9d56194ab0de99d6481f24e652a41832031b1950fa28d9c19531e1436c560e84612ccf49b9e94b2a7b0ba76221a44201

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\files.ini

Filesize
957B

MD5
75b2457690bd5bbfb4a0cecf4c764a91

SHA1
65fe89c56fa297d115c6fcc2c69743d74e052260

SHA256
62cb5ba5444ea28d097da80ea09d7e8584c365b9545b760da18798f389ba0361

SHA512
b6c0ffbcee358f97db5118ec95006f67445d67ee1914fcbd054995f52d035aae6fdd226e6f86bfc9b7919a9f075a10cb6d6dc51e4c8d07fb4d96f32e23c297c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\files.ini

Filesize
988B

MD5
6519437eb397487ff3c3f6dc1c96e198

SHA1
9b2773b3b396791ec183b546d453daf943f25cee

SHA256
4a05a910ad4ce9f7cd4fd8d12afb28790bc4eb6b1e22398dd432727fc80c5836

SHA512
78c89794e258692a846c44c6f0c3f853d992138fe48179f472fc66b73b90a7b53c22972f64f7c46ba9dcd1080afa49bb5c8599402691622eb2dd3760c978096d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\test.ini

Filesize
1KB

MD5
9a37fc3ac461ed6ad7da3bfd63d025cb

SHA1
c75127067eb02cd5f039b14cbf76848f67b58e02

SHA256
475e84e29fc4ec49a0a889a3986cb72416fdac049d32c3c1eba28899660e9bbf

SHA512
36602b35aec770320c495745cf458e5b032bd9455da27f2e9c54774453a944f19a21caaa8182469f10ff0e5c969f8848d7e34f23956bad24540432dbe4ae012f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\test.ini

Filesize
1KB

MD5
0092b4c1d5214d42736854bce5fdea32

SHA1
bec2794612c9b22d239661b15ee29a8363467640

SHA256
67ed0fd26d16a40c21de148b068e2c1faad6f937374aa3e9ee1dbdb1f15f7833

SHA512
6999ba1234bfba0b6408d73cfc0e3c66414d6b51e534fd8d552f9cefccc1114ee4f436412b6c50c7e42c1b9b90e2b29b3bead4fdbf0b8aa270bc2daebfb5152c

Download Submit
\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\NSISTools.dll

Filesize
42KB

MD5
beca78fa9b105c60b39f3cb567e6f5d0

SHA1
2e31bc180c59adc802bf218eb776db56846aaa43

SHA256
d4f922feb8257e85c0476ce7a1b0b0abfd9fc9f30406c789b30f17ddac745260

SHA512
434cbd3cc6441a330f26b70e22062f5057e27aead828ec8aca45b5b40d9ab4184d67480db3c8b9c93ef47e51a5f05d0445cf768106a92cbad50daeb78be02f38

Download Submit
\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\NSIS_SkinCrafter_Plugin.dll

Filesize
5.8MB

MD5
bad139a2d8491896ce10ee8e4e55a921

SHA1
4346289950aa9b547d96553ced684b6a05af0234

SHA256
363e9c63b62d61ff3dd5f3cb1de5d9c2320c95787ae0a30035c19f01adebb0c3

SHA512
7ba1908909237986c573244743f4632dde72da9f708c151879102633f7bd7cffbaf1f79b3bb3797952304248aae9dd984f6a07a9dbf6433cc5b2d7f72ee80e15

Download Submit
\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\SkinCrafter.dll

Filesize
792KB

MD5
8fea8fd177034b52e6a5886fb5e780bd

SHA1
99f511388a2420d53b8406baed48ba550842eaad

SHA256
546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

SHA512
5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

Download Submit
\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\UserInfo.dll

Filesize
3KB

MD5
52dc0884fadcf8906b614a82ea2abcc5

SHA1
0204f10246b4769363f91701e81e289a541b0716

SHA256
2e0500a0cd75c23019b10f8c920c50a1ba49cc1bb43086d2a289051d805e600d

SHA512
0f97c67a13a08c404cfa3c87cc04dfa85ab3fc3137371136db998171b50b0653956262c5b764b6925764d7e544de9293e16ed365b4cd06b6d55cfdd37f968ba9

Download Submit
\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\cpudesc.dll

Filesize
5KB

MD5
db40175690a780def9e6c6327654be11

SHA1
703c074a625fad245300fb97657f640e91ce36d6

SHA256
08a4ab71158afdaea82ae1f5670ae87b0b03facd606db26d4861c178b630cec2

SHA512
17012e166365a48a7dcc92aa9f4d67e6fafa347eb637f434d99a4f0f62fd6a438eb21e98aff18f04cc56e3d91e97022a2bf4ef35278d9d15146dbeab6d3c5c7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
\Windows\SysWOW64\mfc71.dll

Filesize
1.0MB

MD5
1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1
9a4faa258b375e173feaca91a8bd920baf1091eb

SHA256
385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

SHA512
109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

Download Submit
\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
memory/3032-109-0x0000000003B90000-0x0000000003BB0000-memory.dmp

Filesize
128KB

Download
memory/3032-99-0x0000000003B90000-0x0000000003BD1000-memory.dmp

Filesize
260KB

Download
memory/3032-90-0x0000000003B90000-0x0000000003BA2000-memory.dmp

Filesize
72KB

Download
memory/3032-63-0x0000000003B70000-0x0000000003B7E000-memory.dmp

Filesize
56KB

Download
memory/3032-26-0x0000000002170000-0x000000000223C000-memory.dmp

Filesize
816KB

Download