Analysis

  • max time kernel
    11s
  • max time network
    22s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-08-2024 17:43

General

  • Target

    iplasetup.exe

  • Size

    39.8MB

  • MD5

    e872bca75b21b9fd7ea0ccd762d399d9

  • SHA1

    aac2a9bf68f87fc237ac121085328071e108ed2a

  • SHA256

    26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af

  • SHA512

    3bc06f126d92bbd6e8f8f19a90632ba9e0b3232a62ec94db021ffa987efe48c63df671ad47805e43f5878916a1f7ec8ede5808d38cb641737ebcbad1c62535ef

  • SSDEEP

    786432:2aiqD9o7TuCV0GvGEpjWWHAxsD8TgdyCCD06KsEKjwUzAqhyNjg797+zr2sZW:2ko7J5eoE4WqTm0ABwY7hy9gp7+X2sk

Malware Config

Signatures

  • Detects Strela Stealer payload 1 IoCs
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 23 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iplasetup.exe
    "C:\Users\Admin\AppData\Local\Temp\iplasetup.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exe
      C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\InstallOptionsEx.dll

    Filesize

    120KB

    MD5

    f2f4b4f2985a1a6a45fd370c604f76bc

    SHA1

    b9c75014d8d1119886de917f9ba68e3638f6e21c

    SHA256

    fe5e20bfb1071901e3adfa90f6c0fae4e4428e5ec85ed5a69f78f7567cc16157

    SHA512

    5fd4fe56818da4e1a39ed09196264f403048ecf4bd981f27e97ef3a66dc014655097c5b8e3dbb1460dfedcf90f8945ecf07d9a57d5cb4e4662daf05e3dc07a9d

  • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\Processes.dll

    Filesize

    56KB

    MD5

    dcf8677120ea4333339c9b1ae37a0f55

    SHA1

    f52d1fb8fc99c60dfc5f876d310e804da4ec3d1a

    SHA256

    6eab0471453c9848f8a15a10f0610b7026a1d2c583d5e852e341f18f580ebfb8

    SHA512

    4f7272dc0916456871fedde32fb675b1c0fd2f144df604e154eed3ff3fb7031a361c11a22713e8931efbdba0ed03305d6ee12d74abd83b3445ef1515ed8ddba4

  • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\enumsplitters.exe

    Filesize

    207KB

    MD5

    dd37efd8e6ee822e0293652ce251b2f6

    SHA1

    4135efa59abe911b1184389ec40115986bf6fe39

    SHA256

    41d3d54f60ab6103d7bc7a21812331ed592ba3d20c6ddf2b7d27a4c7c154fb02

    SHA512

    cdc0fa97c54e6de4e27695ca81a004ff9d56194ab0de99d6481f24e652a41832031b1950fa28d9c19531e1436c560e84612ccf49b9e94b2a7b0ba76221a44201

  • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\files.ini

    Filesize

    957B

    MD5

    75b2457690bd5bbfb4a0cecf4c764a91

    SHA1

    65fe89c56fa297d115c6fcc2c69743d74e052260

    SHA256

    62cb5ba5444ea28d097da80ea09d7e8584c365b9545b760da18798f389ba0361

    SHA512

    b6c0ffbcee358f97db5118ec95006f67445d67ee1914fcbd054995f52d035aae6fdd226e6f86bfc9b7919a9f075a10cb6d6dc51e4c8d07fb4d96f32e23c297c2

  • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\files.ini

    Filesize

    988B

    MD5

    6519437eb397487ff3c3f6dc1c96e198

    SHA1

    9b2773b3b396791ec183b546d453daf943f25cee

    SHA256

    4a05a910ad4ce9f7cd4fd8d12afb28790bc4eb6b1e22398dd432727fc80c5836

    SHA512

    78c89794e258692a846c44c6f0c3f853d992138fe48179f472fc66b73b90a7b53c22972f64f7c46ba9dcd1080afa49bb5c8599402691622eb2dd3760c978096d

  • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\test.ini

    Filesize

    1KB

    MD5

    9a37fc3ac461ed6ad7da3bfd63d025cb

    SHA1

    c75127067eb02cd5f039b14cbf76848f67b58e02

    SHA256

    475e84e29fc4ec49a0a889a3986cb72416fdac049d32c3c1eba28899660e9bbf

    SHA512

    36602b35aec770320c495745cf458e5b032bd9455da27f2e9c54774453a944f19a21caaa8182469f10ff0e5c969f8848d7e34f23956bad24540432dbe4ae012f

  • C:\Users\Admin\AppData\Local\Temp\nsfECC2.tmp\test.ini

    Filesize

    1KB

    MD5

    0092b4c1d5214d42736854bce5fdea32

    SHA1

    bec2794612c9b22d239661b15ee29a8363467640

    SHA256

    67ed0fd26d16a40c21de148b068e2c1faad6f937374aa3e9ee1dbdb1f15f7833

    SHA512

    6999ba1234bfba0b6408d73cfc0e3c66414d6b51e534fd8d552f9cefccc1114ee4f436412b6c50c7e42c1b9b90e2b29b3bead4fdbf0b8aa270bc2daebfb5152c

  • \Users\Admin\AppData\Local\Temp\nsfECC2.tmp\NSISTools.dll

    Filesize

    42KB

    MD5

    beca78fa9b105c60b39f3cb567e6f5d0

    SHA1

    2e31bc180c59adc802bf218eb776db56846aaa43

    SHA256

    d4f922feb8257e85c0476ce7a1b0b0abfd9fc9f30406c789b30f17ddac745260

    SHA512

    434cbd3cc6441a330f26b70e22062f5057e27aead828ec8aca45b5b40d9ab4184d67480db3c8b9c93ef47e51a5f05d0445cf768106a92cbad50daeb78be02f38

  • \Users\Admin\AppData\Local\Temp\nsfECC2.tmp\NSIS_SkinCrafter_Plugin.dll

    Filesize

    5.8MB

    MD5

    bad139a2d8491896ce10ee8e4e55a921

    SHA1

    4346289950aa9b547d96553ced684b6a05af0234

    SHA256

    363e9c63b62d61ff3dd5f3cb1de5d9c2320c95787ae0a30035c19f01adebb0c3

    SHA512

    7ba1908909237986c573244743f4632dde72da9f708c151879102633f7bd7cffbaf1f79b3bb3797952304248aae9dd984f6a07a9dbf6433cc5b2d7f72ee80e15

  • \Users\Admin\AppData\Local\Temp\nsfECC2.tmp\SkinCrafter.dll

    Filesize

    792KB

    MD5

    8fea8fd177034b52e6a5886fb5e780bd

    SHA1

    99f511388a2420d53b8406baed48ba550842eaad

    SHA256

    546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

    SHA512

    5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

  • \Users\Admin\AppData\Local\Temp\nsfECC2.tmp\UserInfo.dll

    Filesize

    3KB

    MD5

    52dc0884fadcf8906b614a82ea2abcc5

    SHA1

    0204f10246b4769363f91701e81e289a541b0716

    SHA256

    2e0500a0cd75c23019b10f8c920c50a1ba49cc1bb43086d2a289051d805e600d

    SHA512

    0f97c67a13a08c404cfa3c87cc04dfa85ab3fc3137371136db998171b50b0653956262c5b764b6925764d7e544de9293e16ed365b4cd06b6d55cfdd37f968ba9

  • \Users\Admin\AppData\Local\Temp\nsfECC2.tmp\cpudesc.dll

    Filesize

    5KB

    MD5

    db40175690a780def9e6c6327654be11

    SHA1

    703c074a625fad245300fb97657f640e91ce36d6

    SHA256

    08a4ab71158afdaea82ae1f5670ae87b0b03facd606db26d4861c178b630cec2

    SHA512

    17012e166365a48a7dcc92aa9f4d67e6fafa347eb637f434d99a4f0f62fd6a438eb21e98aff18f04cc56e3d91e97022a2bf4ef35278d9d15146dbeab6d3c5c7a

  • \Users\Admin\AppData\Local\Temp\nsfECC2.tmp\processwork.dll

    Filesize

    231KB

    MD5

    0a4fa7a9ba969a805eb0603c7cfe3378

    SHA1

    0f018a8d5b42c6ce8bf34b4a6422861c327af88c

    SHA256

    27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

    SHA512

    e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

  • \Windows\SysWOW64\mfc71.dll

    Filesize

    1.0MB

    MD5

    1fd3f9722119bdf7b8cff0ecd1e84ea6

    SHA1

    9a4faa258b375e173feaca91a8bd920baf1091eb

    SHA256

    385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

    SHA512

    109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

  • \Windows\SysWOW64\msvcr71.dll

    Filesize

    340KB

    MD5

    ca2f560921b7b8be1cf555a5a18d54c3

    SHA1

    432dbcf54b6f1142058b413a9d52668a2bde011d

    SHA256

    c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

    SHA512

    23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

  • memory/3032-109-0x0000000003B90000-0x0000000003BB0000-memory.dmp

    Filesize

    128KB

  • memory/3032-99-0x0000000003B90000-0x0000000003BD1000-memory.dmp

    Filesize

    260KB

  • memory/3032-90-0x0000000003B90000-0x0000000003BA2000-memory.dmp

    Filesize

    72KB

  • memory/3032-63-0x0000000003B70000-0x0000000003B7E000-memory.dmp

    Filesize

    56KB

  • memory/3032-26-0x0000000002170000-0x000000000223C000-memory.dmp

    Filesize

    816KB