Analysis
-
max time kernel
11s -
max time network
22s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
03-08-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
iplasetup.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
$TEMP.dll
Resource
win10-20240404-en
General
-
Target
iplasetup.exe
-
Size
39.8MB
-
MD5
e872bca75b21b9fd7ea0ccd762d399d9
-
SHA1
aac2a9bf68f87fc237ac121085328071e108ed2a
-
SHA256
26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af
-
SHA512
3bc06f126d92bbd6e8f8f19a90632ba9e0b3232a62ec94db021ffa987efe48c63df671ad47805e43f5878916a1f7ec8ede5808d38cb641737ebcbad1c62535ef
-
SSDEEP
786432:2aiqD9o7TuCV0GvGEpjWWHAxsD8TgdyCCD06KsEKjwUzAqhyNjg797+zr2sZW:2ko7J5eoE4WqTm0ABwY7hy9gp7+X2sk
Malware Config
Signatures
-
Detects Strela Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000001aab7-16.dat family_strela -
Executes dropped EXE 1 IoCs
pid Process 528 enumsplitters.exe -
Loads dropped DLL 23 IoCs
pid Process 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvcr71.dll iplasetup.exe File created C:\Windows\SysWOW64\mfc71.dll iplasetup.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files (x86)\ipla\images\icons\3gp.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\custom.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\m4v.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mkv.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mov.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mpe.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\rmvb.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\avi.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\m2v.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\ogm.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\rm.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\3g2.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\asf.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\flv.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mka.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mpa.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\wmv.ico iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\TestFile.tst iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mp4.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mpeg.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mpg.ico iplasetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enumsplitters.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iplasetup.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 iplasetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz iplasetup.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe 3032 iplasetup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3032 wrote to memory of 528 3032 iplasetup.exe 70 PID 3032 wrote to memory of 528 3032 iplasetup.exe 70 PID 3032 wrote to memory of 528 3032 iplasetup.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\iplasetup.exe"C:\Users\Admin\AppData\Local\Temp\iplasetup.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exeC:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5f2f4b4f2985a1a6a45fd370c604f76bc
SHA1b9c75014d8d1119886de917f9ba68e3638f6e21c
SHA256fe5e20bfb1071901e3adfa90f6c0fae4e4428e5ec85ed5a69f78f7567cc16157
SHA5125fd4fe56818da4e1a39ed09196264f403048ecf4bd981f27e97ef3a66dc014655097c5b8e3dbb1460dfedcf90f8945ecf07d9a57d5cb4e4662daf05e3dc07a9d
-
Filesize
56KB
MD5dcf8677120ea4333339c9b1ae37a0f55
SHA1f52d1fb8fc99c60dfc5f876d310e804da4ec3d1a
SHA2566eab0471453c9848f8a15a10f0610b7026a1d2c583d5e852e341f18f580ebfb8
SHA5124f7272dc0916456871fedde32fb675b1c0fd2f144df604e154eed3ff3fb7031a361c11a22713e8931efbdba0ed03305d6ee12d74abd83b3445ef1515ed8ddba4
-
Filesize
207KB
MD5dd37efd8e6ee822e0293652ce251b2f6
SHA14135efa59abe911b1184389ec40115986bf6fe39
SHA25641d3d54f60ab6103d7bc7a21812331ed592ba3d20c6ddf2b7d27a4c7c154fb02
SHA512cdc0fa97c54e6de4e27695ca81a004ff9d56194ab0de99d6481f24e652a41832031b1950fa28d9c19531e1436c560e84612ccf49b9e94b2a7b0ba76221a44201
-
Filesize
957B
MD575b2457690bd5bbfb4a0cecf4c764a91
SHA165fe89c56fa297d115c6fcc2c69743d74e052260
SHA25662cb5ba5444ea28d097da80ea09d7e8584c365b9545b760da18798f389ba0361
SHA512b6c0ffbcee358f97db5118ec95006f67445d67ee1914fcbd054995f52d035aae6fdd226e6f86bfc9b7919a9f075a10cb6d6dc51e4c8d07fb4d96f32e23c297c2
-
Filesize
988B
MD56519437eb397487ff3c3f6dc1c96e198
SHA19b2773b3b396791ec183b546d453daf943f25cee
SHA2564a05a910ad4ce9f7cd4fd8d12afb28790bc4eb6b1e22398dd432727fc80c5836
SHA51278c89794e258692a846c44c6f0c3f853d992138fe48179f472fc66b73b90a7b53c22972f64f7c46ba9dcd1080afa49bb5c8599402691622eb2dd3760c978096d
-
Filesize
1KB
MD59a37fc3ac461ed6ad7da3bfd63d025cb
SHA1c75127067eb02cd5f039b14cbf76848f67b58e02
SHA256475e84e29fc4ec49a0a889a3986cb72416fdac049d32c3c1eba28899660e9bbf
SHA51236602b35aec770320c495745cf458e5b032bd9455da27f2e9c54774453a944f19a21caaa8182469f10ff0e5c969f8848d7e34f23956bad24540432dbe4ae012f
-
Filesize
1KB
MD50092b4c1d5214d42736854bce5fdea32
SHA1bec2794612c9b22d239661b15ee29a8363467640
SHA25667ed0fd26d16a40c21de148b068e2c1faad6f937374aa3e9ee1dbdb1f15f7833
SHA5126999ba1234bfba0b6408d73cfc0e3c66414d6b51e534fd8d552f9cefccc1114ee4f436412b6c50c7e42c1b9b90e2b29b3bead4fdbf0b8aa270bc2daebfb5152c
-
Filesize
42KB
MD5beca78fa9b105c60b39f3cb567e6f5d0
SHA12e31bc180c59adc802bf218eb776db56846aaa43
SHA256d4f922feb8257e85c0476ce7a1b0b0abfd9fc9f30406c789b30f17ddac745260
SHA512434cbd3cc6441a330f26b70e22062f5057e27aead828ec8aca45b5b40d9ab4184d67480db3c8b9c93ef47e51a5f05d0445cf768106a92cbad50daeb78be02f38
-
Filesize
5.8MB
MD5bad139a2d8491896ce10ee8e4e55a921
SHA14346289950aa9b547d96553ced684b6a05af0234
SHA256363e9c63b62d61ff3dd5f3cb1de5d9c2320c95787ae0a30035c19f01adebb0c3
SHA5127ba1908909237986c573244743f4632dde72da9f708c151879102633f7bd7cffbaf1f79b3bb3797952304248aae9dd984f6a07a9dbf6433cc5b2d7f72ee80e15
-
Filesize
792KB
MD58fea8fd177034b52e6a5886fb5e780bd
SHA199f511388a2420d53b8406baed48ba550842eaad
SHA256546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de
SHA5125d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696
-
Filesize
3KB
MD552dc0884fadcf8906b614a82ea2abcc5
SHA10204f10246b4769363f91701e81e289a541b0716
SHA2562e0500a0cd75c23019b10f8c920c50a1ba49cc1bb43086d2a289051d805e600d
SHA5120f97c67a13a08c404cfa3c87cc04dfa85ab3fc3137371136db998171b50b0653956262c5b764b6925764d7e544de9293e16ed365b4cd06b6d55cfdd37f968ba9
-
Filesize
5KB
MD5db40175690a780def9e6c6327654be11
SHA1703c074a625fad245300fb97657f640e91ce36d6
SHA25608a4ab71158afdaea82ae1f5670ae87b0b03facd606db26d4861c178b630cec2
SHA51217012e166365a48a7dcc92aa9f4d67e6fafa347eb637f434d99a4f0f62fd6a438eb21e98aff18f04cc56e3d91e97022a2bf4ef35278d9d15146dbeab6d3c5c7a
-
Filesize
231KB
MD50a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
Filesize
1.0MB
MD51fd3f9722119bdf7b8cff0ecd1e84ea6
SHA19a4faa258b375e173feaca91a8bd920baf1091eb
SHA256385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823
SHA512109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6
-
Filesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e