Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 19:31

General

  • Target

    9070036232769ef3d265188fff67ea50N.exe

  • Size

    1.9MB

  • MD5

    9070036232769ef3d265188fff67ea50

  • SHA1

    1d1aabe9cc3e2259452e31c8bcaddfbd845fc003

  • SHA256

    061be13ea4ba484514d798f70838648d72f09a5ca6c58a608d9b6d28e63146d1

  • SHA512

    a3397b4f583b2839be791552515c063d3d5505909449ef94370e1e6163a0b1e8d359a8d19273c911b4b49bfc4537737631b7677aa759014723d79df8b2d8ea9f

  • SSDEEP

    49152:8gwH+Hl2+jmaJhsYAH5e6duUPUau0rqURpUpE129j:pF2+/ZAHRu0UwmypUrJ

Malware Config

Signatures

  • Detects Strela Stealer payload 1 IoCs
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 30 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9070036232769ef3d265188fff67ea50N.exe
    "C:\Users\Admin\AppData\Local\Temp\9070036232769ef3d265188fff67ea50N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
      "C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3308
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4824
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:4372
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c86f1114-9c3c-6348-8c7e-b375c8c540db}\ssmirrdr.inf" "9" "47bd61347" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\common files\supportdotcom\rang"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:856
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:10ef38c379e44436:ssmirrdr:2.0.0.0:ssmirr_driver," "47bd61347" "0000000000000154"
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3272
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2900
  • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
    "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
      "ssrangui.exe" -start -ec 1 3698006999 -agentFriendlyName 'Solutions Engineer'
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of SetWindowsHookEx
      PID:5112
  • C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    1⤵
      PID:856
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:748

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

        Filesize

        16KB

        MD5

        198aecd00486eadd45b763ecf6b850ef

        SHA1

        8141e2a173f5ed8a1ee4111a9dbf3973f87583e7

        SHA256

        da94f1da1d256ad7edcacb856d7712fae587714e8372462871b9b8390697e66e

        SHA512

        9968dc12d98ca2e7a4d6a90f01228d27c2c67f46cfe2e5cac61c1ada698e84e1fd43afd7b30dd30240ed6eea1ff5fb6e1f9ba7d15303baa889a34f24d4f46703

      • C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt

        Filesize

        249KB

        MD5

        151856cfe9156091831b937aec612d46

        SHA1

        001b8dac977e70d8b65f133c537fe0b3209b8226

        SHA256

        e807d7c405f6077dd57be20254adfaea0c9d02d1c9ab95035424818d082c4325

        SHA512

        063df5476bd9f0f8dafa8c7ebeb4b0688640893b07fe89ce313b07ec26842a2845fe95f7955147c387cd15787af6ef3b050ad8d1e6863c667c5192d858e61ffa

      • C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[8-16-2024 - 19.32.0].log

        Filesize

        373B

        MD5

        97da87d14e0fdf0bfe157354b67230da

        SHA1

        7cdd0d5823246c4264588588d79d3f4cbf1c34a2

        SHA256

        0ad8ac5df7fcaf083bf574e95cdcb00c05f054914fccb73efd47008aceff92e7

        SHA512

        e2dc4c580e1e21d855bddf390927069f5a2ab7012544c8879775a6a699d2d891e104259347c1c9ecf9e1b9f9513c617687449145ed0070bd199916b613591fe2

      • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

        Filesize

        2.2MB

        MD5

        3c58ee787f100d9c124fde7d41e2b40c

        SHA1

        794539da76db30d2193bc0e7f705a66816994773

        SHA256

        9ba659ce26f5e4bc1dd98d7d41ac1514bb2853d68c3d56707f7a050cfb08ed87

        SHA512

        2340c7f37ff53fcc9cecc77b0e87f6b86600f3cd08aa8bb0da87b9e041943cfcac87d6660187611cf7ee0eeb900a6f28272251bd60e0f2664da0e49c19667a5f

      • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

        Filesize

        1.7MB

        MD5

        867f418fffc2dd61dd3fc065f4ab29bb

        SHA1

        9558d4995c70048cfcd7cfd4718f38babd6ba581

        SHA256

        2d2648a2e454e1637086d90b0a9071df66dd3de61c42ae88e4b1362aa51b21e4

        SHA512

        ebcaa8e676509b56bae4318ca800383b8b306b8425a0a5e4c55c69a9bc38937a5f806874924efb8b6f6b0624ad0c09b140c4c63127a2573069ac178f03817238

      • C:\Users\Admin\AppData\Local\Temp\nswBDB3.tmp\System.dll

        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.dll

        Filesize

        31KB

        MD5

        28b26600204f79045eda8f7fd8ca3c86

        SHA1

        b9f19e36b80eb862370d99b466664380440af6d5

        SHA256

        5140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6

        SHA512

        aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1

      • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.sys

        Filesize

        9KB

        MD5

        1100066057fbf612b573efd3b21383f1

        SHA1

        f95db83ea936f1fe70583a4eca810da807167dfe

        SHA256

        894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d

        SHA512

        62850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8

      • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr-nt_amd64.cat

        Filesize

        8KB

        MD5

        31f007d8f2de5e945dc2e2234628bc37

        SHA1

        76fb2cd66c869bae25589298a971b458bd06c18e

        SHA256

        a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973

        SHA512

        170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18

      • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr.inf

        Filesize

        2KB

        MD5

        6c4423d9cb9921a25de76b2d9f390f74

        SHA1

        5abdfd7b7d0e454a6ac117c90077b3379e48d666

        SHA256

        3cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82

        SHA512

        9f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c