Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 19:31

General

  • Target

    9070036232769ef3d265188fff67ea50N.exe

  • Size

    1.9MB

  • MD5

    9070036232769ef3d265188fff67ea50

  • SHA1

    1d1aabe9cc3e2259452e31c8bcaddfbd845fc003

  • SHA256

    061be13ea4ba484514d798f70838648d72f09a5ca6c58a608d9b6d28e63146d1

  • SHA512

    a3397b4f583b2839be791552515c063d3d5505909449ef94370e1e6163a0b1e8d359a8d19273c911b4b49bfc4537737631b7677aa759014723d79df8b2d8ea9f

  • SSDEEP

    49152:8gwH+Hl2+jmaJhsYAH5e6duUPUau0rqURpUpE129j:pF2+/ZAHRu0UwmypUrJ

Malware Config

Signatures

  • Detects Strela Stealer payload 1 IoCs
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 39 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9070036232769ef3d265188fff67ea50N.exe
    "C:\Users\Admin\AppData\Local\Temp\9070036232769ef3d265188fff67ea50N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
      "C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2644
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2060
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{57b13fbe-8800-420b-17dd-7d1205a6396b}\ssmirrdr.inf" "9" "67bd61347" "00000000000003D0" "WinSta0\Default" "00000000000002F0" "208" "c:\program files (x86)\common files\supportdotcom\rang"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2560
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem2.inf" "ssmirrdr.inf:ssmirrdr.Mfg.ntamd64:ssmirrdr:2.0.0.0:ssmirr_driver" "67bd61347" "00000000000003D0" "00000000000005CC" "00000000000005E4"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1976
  • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
    "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
      "ssrangui.exe" -start -ec 1 3631146199 -agentFriendlyName 'Solutions Engineer'
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:860
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt

      Filesize

      249KB

      MD5

      151856cfe9156091831b937aec612d46

      SHA1

      001b8dac977e70d8b65f133c537fe0b3209b8226

      SHA256

      e807d7c405f6077dd57be20254adfaea0c9d02d1c9ab95035424818d082c4325

      SHA512

      063df5476bd9f0f8dafa8c7ebeb4b0688640893b07fe89ce313b07ec26842a2845fe95f7955147c387cd15787af6ef3b050ad8d1e6863c667c5192d858e61ffa

    • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

      Filesize

      1.7MB

      MD5

      867f418fffc2dd61dd3fc065f4ab29bb

      SHA1

      9558d4995c70048cfcd7cfd4718f38babd6ba581

      SHA256

      2d2648a2e454e1637086d90b0a9071df66dd3de61c42ae88e4b1362aa51b21e4

      SHA512

      ebcaa8e676509b56bae4318ca800383b8b306b8425a0a5e4c55c69a9bc38937a5f806874924efb8b6f6b0624ad0c09b140c4c63127a2573069ac178f03817238

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3H1FOMV1\errorPageStrings[1]

      Filesize

      2KB

      MD5

      e3e4a98353f119b80b323302f26b78fa

      SHA1

      20ee35a370cdd3a8a7d04b506410300fd0a6a864

      SHA256

      9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

      SHA512

      d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3H1FOMV1\httpErrorPagesScripts[2]

      Filesize

      8KB

      MD5

      3f57b781cb3ef114dd0b665151571b7b

      SHA1

      ce6a63f996df3a1cccb81720e21204b825e0238c

      SHA256

      46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

      SHA512

      8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\NewErrorPageTemplate[1]

      Filesize

      1KB

      MD5

      cdf81e591d9cbfb47a7f97a2bcdb70b9

      SHA1

      8f12010dfaacdecad77b70a3e781c707cf328496

      SHA256

      204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

      SHA512

      977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\dnserrordiagoff[1]

      Filesize

      1KB

      MD5

      47f581b112d58eda23ea8b2e08cf0ff0

      SHA1

      6ec1df5eaec1439573aef0fb96dabfc953305e5b

      SHA256

      b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

      SHA512

      187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      f4846779ddeeb1fd5b7ea3ebfcc44f80

      SHA1

      5b62b115a0882180c8b751ecf3acc7d95b80c130

      SHA256

      438d4ffe2d92d78557be60c87fbff96d94350e6048359ed7933f3b08aa327170

      SHA512

      621dbeeb93235a1b1c33628ff43be4546ea3f4eae5c2129dc8ef2fb70a8d9fe31714ab777072251d4472c3df3dc583315f197d6450203529887f5843cfb8f193

    • C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF

      Filesize

      9KB

      MD5

      491da3364f51e6b86aa1c262bc4e58a0

      SHA1

      421f0e9da4a27df8030425b3c42a85eff1238bcc

      SHA256

      bb11c0eaf9a474c938cbc83eb1ddca34e0975995db03ce86e2130c43bc79ddeb

      SHA512

      f8e8155f3a0d0bf7688753dc88eb73818ef5ad718f557cfd6d550701364954cad7837e1fe8f611eec2fcb95a7be61a40d361ac4523f899c98349905af251ad4a

    • C:\Windows\System32\DriverStore\INFCACHE.1

      Filesize

      1.4MB

      MD5

      1f161950a68f51b835b12da46f52f61b

      SHA1

      13ad836fa165ff9234e220b4ca23903cc9bb0002

      SHA256

      106b8f336265fa5ca40d242a974dd46be04d4a5109d3afe7172a7d8e68b1842f

      SHA512

      cd28686441d61cfd197bba1a5609c2192de7ddb34f3ddd35a733927aecce055b452477c7c35c23fa4f4983d91881d5597c904476889de791ddda97259d48d3e2

    • C:\Windows\Temp\Tar331.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\inf\oem2.PNF

      Filesize

      9KB

      MD5

      3c1c01a2c39644614bb1a4d791ab7bb2

      SHA1

      486893288e6bc758c363a828ff79481f3d5412e8

      SHA256

      4c25d543a10f3018e764a59843b97490e1dd6cd43c9aa5473d07ba0c0f87ef62

      SHA512

      17332a96b2644987591aa77b3cf85090a3c77f9183783c24dd01bbe12412f7c07a8b33ef160da11fbb35e9f7d2754f42c5dc704275d94a418fbbd7d86cd2ce12

    • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.dll

      Filesize

      31KB

      MD5

      28b26600204f79045eda8f7fd8ca3c86

      SHA1

      b9f19e36b80eb862370d99b466664380440af6d5

      SHA256

      5140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6

      SHA512

      aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1

    • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.sys

      Filesize

      9KB

      MD5

      1100066057fbf612b573efd3b21383f1

      SHA1

      f95db83ea936f1fe70583a4eca810da807167dfe

      SHA256

      894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d

      SHA512

      62850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8

    • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr-nt_amd64.cat

      Filesize

      8KB

      MD5

      31f007d8f2de5e945dc2e2234628bc37

      SHA1

      76fb2cd66c869bae25589298a971b458bd06c18e

      SHA256

      a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973

      SHA512

      170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18

    • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr.inf

      Filesize

      2KB

      MD5

      6c4423d9cb9921a25de76b2d9f390f74

      SHA1

      5abdfd7b7d0e454a6ac117c90077b3379e48d666

      SHA256

      3cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82

      SHA512

      9f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c

    • \Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

      Filesize

      16KB

      MD5

      198aecd00486eadd45b763ecf6b850ef

      SHA1

      8141e2a173f5ed8a1ee4111a9dbf3973f87583e7

      SHA256

      da94f1da1d256ad7edcacb856d7712fae587714e8372462871b9b8390697e66e

      SHA512

      9968dc12d98ca2e7a4d6a90f01228d27c2c67f46cfe2e5cac61c1ada698e84e1fd43afd7b30dd30240ed6eea1ff5fb6e1f9ba7d15303baa889a34f24d4f46703

    • \Program Files (x86)\supportdotcom\rang\ssrangsv.exe

      Filesize

      2.2MB

      MD5

      3c58ee787f100d9c124fde7d41e2b40c

      SHA1

      794539da76db30d2193bc0e7f705a66816994773

      SHA256

      9ba659ce26f5e4bc1dd98d7d41ac1514bb2853d68c3d56707f7a050cfb08ed87

      SHA512

      2340c7f37ff53fcc9cecc77b0e87f6b86600f3cd08aa8bb0da87b9e041943cfcac87d6660187611cf7ee0eeb900a6f28272251bd60e0f2664da0e49c19667a5f

    • \Users\Admin\AppData\Local\Temp\nseE64B.tmp\System.dll

      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f