strela | 6a0ac5a6cef15e181e0808a20033f12af37c0ab5d80d6eba62ca3c98b430a740

Analysis

max time kernel
150s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-10-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

82.5MB
MD5

2b408f64508f89f31eea20586050fd85
SHA1

8f26ee1f0d9714dbadd99ca6d26751a35dca3dcd
SHA256

7c7b22145b0d6b10576d358a3eb903b642b71dcf374cb58d8a372aa23b3e4baa
SHA512

cfa073a656dadb8455c6b9ef535858f87c747a42021b23a83596c71220e304ea61bfe4880f7f0df96f88d2ecca22d6d3b7b9a8dfbc01bd620fb9100ffe9b9290
SSDEEP

1572864:m2n1DWpbcQb+1hekC/0LQJzBNEcxOrIP/YpUIHdwDVKdj0nnodsYAWbjZk:m2tWNkekDLqNEAAU4wha29sjZk

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral9/files/0x001900000002ab83-35.dat	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 10 IoCs

Processes:

setup.exe

pid	Process
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Windows\system32\ReWire.dll	setup.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	setup.exe
File created	C:\Windows\SysWOW64\mfc71.dll	setup.exe
File created	C:\Windows\SysWOW64\ReWire.dll	setup.exe

Drops file in Program Files directory 9 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\MelodyneReWireDevice.dll	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne 4 Introduction.pdf	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\MelodyneReWireDevice.dll	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\Melodyne 4 Introduction.pdf	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\uninstall.exe	setup.exe
File created	C:\Program Files (x86)\Common Files\Celemony\Bundles\MelodyneCore-4.0.4.001.dll	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne.exe	setup.exe
File created	C:\Program Files\Common Files\Celemony\Bundles\MelodyneCore-4.0.4.001.dll	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

setup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies registry class 28 IoCs

Processes:

setup.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\ = "Melodyne Project Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdd\ = "com.celemony.mdd"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpd\ = "com.celemony.melodyneproject"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",2"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdd	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\ = "Celemony MDD File"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\ddeexec\ = "[open(\"%1\")]"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\ddeexec\ = "[open(\"%1\")]"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpd	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

setup.exe

pid	Process
5044	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description	pid	Process
Token: 33	1080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1080	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

setup.exe

pid	Process
5044	setup.exe
5044	setup.exe
5044	setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne.exe

Filesize
1.1MB

MD5
d32422e914e189bfb2ba4a549fb1c0b5

SHA1
903c8156b20f49b90aef282dafc5ec9d91cfc3e6

SHA256
467f6eecc90e22bf114d55acb5a68f7ff25798e341bb08fd418182c9a7c03b9e

SHA512
b9ea71a67976cda6c856d4a49465f90a02a27aa551a722d13887ca42191441b5e279c18d29e6e4b8542301b28c07dd6e9eee925a1be80f84df6c8bee08228c1f

Download Submit
C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe

Filesize
1.4MB

MD5
b4aeae270498dc2b7f9a4589dfb9d17f

SHA1
c5d45fa9e59b7566ee4aa6af648974969a0d133f

SHA256
4776e30359f5aa2f32660579afeb014daab0dfe91e7a3bbdbbbe9ceb83b91368

SHA512
00bca96406f4fec76a42c7097cee9347eb2961b09cbeeb017d65412e628208954322a0c975bc4c2e8516de7e4e9adaf16e7b22c8881457e9069123ad1230067c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\NSIS_SkinCrafter_Plugin.dll

Filesize
5.8MB

MD5
2e13e03b7cf2d8c8338bbc3d29fd3e07

SHA1
173e6e67c5315474765dcd303b3214d5600c48ea

SHA256
ea1552de423ed1768bace344d9a07bf529845c75fe6fc6ce3c4ba91d4aae5409

SHA512
94220a07aea2f4a45ef6b7566baba5a9ce73e70236bf97fc2489bee50b662f3fd05824d7804dd544eef85d73e69091aaae5de3094f0866bf51521024eb3d168d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\SkinCrafter.dll

Filesize
792KB

MD5
8fea8fd177034b52e6a5886fb5e780bd

SHA1
99f511388a2420d53b8406baed48ba550842eaad

SHA256
546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

SHA512
5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\bass.dll

Filesize
107KB

MD5
c0b11a7e60f69241ddcb278722ab962f

SHA1
ff855961eb5ed8779498915bab3d642044fc9bb1

SHA256
a8d979460e970e84eacce36b8a68ae5f6b9cc0fe16e05a6209b4ead52b81b021

SHA512
cb040aca6592310bffb72c898b8eb3ca8a46ff2df50212634c637593c58683c8ab62e0188da7aea362e1b063ae5db55cf4bf474295922af0ab94a526465cc472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\page_component.ini

Filesize
890B

MD5
15a8b8fccd5715e52a824be6fd6ee10e

SHA1
3e1ca43f2ab588f65902f1a253cfa87d10e608e7

SHA256
beea88eddab19818eb226323210a0186dabd76ed5682ec7f2485f644d810eb21

SHA512
ba5881a13d13a01c28c6762bd7dba77c42b6a4299f03024523db213af3213f599d1f8331e2fd13ee5f042739a075a97554ca7053a206ecd9f7c3dbcb91ffbc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\page_component.ini

Filesize
1022B

MD5
982e423a40d4f3a357fe08d8fa2447b3

SHA1
8f230cf2254f0d2087fd9487c1a799da67901e6f

SHA256
f940f2e9503a56e29675051f0e5a75472852333280a8a05c6f4f606f61c60954

SHA512
39172e23faaff9717a948d8e027127f6a2f88156a3b4a29257a5560bef693242f0b27899b7736fe3989e6d97933a66be339d5151ea94eeff0357d5eb49e71005

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\page_component.ini

Filesize
787B

MD5
75a65577d878c0238f7be2611246a061

SHA1
7858cbb53edef3a9f8e8ba5f95961fce883245cf

SHA256
58b69f563c8b84334e45884ff00c295fab7ce5b45bde2b8ffc4c4a74513645eb

SHA512
e64298cc12d9a780a4f67be9f7d869e730c3580c449cdd4e0756f339874dca12ccb5ac3d8c7f2a6afe6419505d84028442acaa55aaaded7ddd4497b13abcffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\page_component.ini

Filesize
877B

MD5
4021204f7afd17ecebebc4877cae176f

SHA1
856b70f55376ee6df343e9628bdb0d485dd67e61

SHA256
cee6f6ed728e515527643090354f1dff88f181078deadd304e956f382c901cd2

SHA512
7876497410fca9d0bd7db680e330bac76bfe27f20dca0b621fcc096c6f7371c3ee9be850d49f5b69d9fd8f64b7617eb910d6cc1e493dc0e61b09601f39b65a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\page_image.ini

Filesize
179B

MD5
31292042f8612558288c618cf970bd14

SHA1
b327fce674bf1b5491ebe061dfb43f073c6aaaab

SHA256
9cd7ade910abc7ee6b22ab79bdc71ac2908ef830921ccdc1e96d4e158418eeea

SHA512
3cdfd71b4bf9e5ccd93b2a493e506178fb276eba2d187066229b44fc1c6e943555c50ae0cde22b985b126321dd4b2eb83ce99d4fbd108c604650a714b7a290e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBCAB.tmp\page_image.ini

Filesize
157B

MD5
bc0634a40750269aa836426b9a645c0b

SHA1
da9222d9d84dcc072749a854128a6c296135ee0b

SHA256
e9f17eb5c7b471a566844b70af544ca03435c972eb232e8def92aa8500e937d9

SHA512
71bb1b354a17849a1beade1ac9d6f0d15f8cf9f1686fd286813532e5f4807f96dbd5b777dd5f11e8677c96dcb79992e0294794b1de59b7727829308405728ad8

Download Submit
C:\Windows\SysWOW64\mfc71.dll

Filesize
1.0MB

MD5
1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1
9a4faa258b375e173feaca91a8bd920baf1091eb

SHA256
385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

SHA512
109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
memory/5044-240-0x0000000003200000-0x0000000003218000-memory.dmp

Filesize
96KB

Download
memory/5044-45-0x0000000003D80000-0x0000000003E4C000-memory.dmp

Filesize
816KB

Download
memory/5044-14-0x0000000074100000-0x0000000074150000-memory.dmp

Filesize
320KB

Download
memory/5044-16-0x0000000003200000-0x0000000003218000-memory.dmp

Filesize
96KB

Download
memory/5044-17-0x0000000074101000-0x0000000074127000-memory.dmp

Filesize
152KB

Download