strela | 6a0ac5a6cef15e181e0808a20033f12af37c0ab5d80d6eba62ca3c98b430a740

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-10-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

82.5MB
MD5

2b408f64508f89f31eea20586050fd85
SHA1

8f26ee1f0d9714dbadd99ca6d26751a35dca3dcd
SHA256

7c7b22145b0d6b10576d358a3eb903b642b71dcf374cb58d8a372aa23b3e4baa
SHA512

cfa073a656dadb8455c6b9ef535858f87c747a42021b23a83596c71220e304ea61bfe4880f7f0df96f88d2ecca22d6d3b7b9a8dfbc01bd620fb9100ffe9b9290
SSDEEP

1572864:m2n1DWpbcQb+1hekC/0LQJzBNEcxOrIP/YpUIHdwDVKdj0nnodsYAWbjZk:m2tWNkekDLqNEAAU4wha29sjZk

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

resource	yara_rule
behavioral16/files/0x001900000002ab79-35.dat	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 10 IoCs

pid	Process
956	setup.exe
956	setup.exe
956	setup.exe
956	setup.exe
956	setup.exe
956	setup.exe
956	setup.exe
956	setup.exe
956	setup.exe
956	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\ReWire.dll	setup.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	setup.exe
File created	C:\Windows\SysWOW64\mfc71.dll	setup.exe
File created	C:\Windows\SysWOW64\ReWire.dll	setup.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne 4 Introduction.pdf	setup.exe
File created	C:\Program Files\Common Files\Celemony\Bundles\MelodyneCore-4.0.4.001.dll	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\MelodyneReWireDevice.dll	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\Melodyne 4 Introduction.pdf	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\uninstall.exe	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\MelodyneReWireDevice.dll	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne.exe	setup.exe
File created	C:\Program Files (x86)\Common Files\Celemony\Bundles\MelodyneCore-4.0.4.001.dll	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdd	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\ = "Celemony MDD File"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\ddeexec\ = "[open(\"%1\")]"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdd\ = "com.celemony.mdd"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpd	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpd\ = "com.celemony.melodyneproject"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\ddeexec\ = "[open(\"%1\")]"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",2"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\ = "Melodyne Project Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
956	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2348	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
956	setup.exe
956	setup.exe
956	setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne.exe

Filesize
1.1MB

MD5
d32422e914e189bfb2ba4a549fb1c0b5

SHA1
903c8156b20f49b90aef282dafc5ec9d91cfc3e6

SHA256
467f6eecc90e22bf114d55acb5a68f7ff25798e341bb08fd418182c9a7c03b9e

SHA512
b9ea71a67976cda6c856d4a49465f90a02a27aa551a722d13887ca42191441b5e279c18d29e6e4b8542301b28c07dd6e9eee925a1be80f84df6c8bee08228c1f

Download Submit
C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe

Filesize
1.4MB

MD5
b4aeae270498dc2b7f9a4589dfb9d17f

SHA1
c5d45fa9e59b7566ee4aa6af648974969a0d133f

SHA256
4776e30359f5aa2f32660579afeb014daab0dfe91e7a3bbdbbbe9ceb83b91368

SHA512
00bca96406f4fec76a42c7097cee9347eb2961b09cbeeb017d65412e628208954322a0c975bc4c2e8516de7e4e9adaf16e7b22c8881457e9069123ad1230067c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\NSIS_SkinCrafter_Plugin.dll

Filesize
5.8MB

MD5
2e13e03b7cf2d8c8338bbc3d29fd3e07

SHA1
173e6e67c5315474765dcd303b3214d5600c48ea

SHA256
ea1552de423ed1768bace344d9a07bf529845c75fe6fc6ce3c4ba91d4aae5409

SHA512
94220a07aea2f4a45ef6b7566baba5a9ce73e70236bf97fc2489bee50b662f3fd05824d7804dd544eef85d73e69091aaae5de3094f0866bf51521024eb3d168d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\SkinCrafter.dll

Filesize
792KB

MD5
8fea8fd177034b52e6a5886fb5e780bd

SHA1
99f511388a2420d53b8406baed48ba550842eaad

SHA256
546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

SHA512
5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\bass.dll

Filesize
107KB

MD5
c0b11a7e60f69241ddcb278722ab962f

SHA1
ff855961eb5ed8779498915bab3d642044fc9bb1

SHA256
a8d979460e970e84eacce36b8a68ae5f6b9cc0fe16e05a6209b4ead52b81b021

SHA512
cb040aca6592310bffb72c898b8eb3ca8a46ff2df50212634c637593c58683c8ab62e0188da7aea362e1b063ae5db55cf4bf474295922af0ab94a526465cc472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\page_component.ini

Filesize
903B

MD5
c72d39688b2512f35ac1ba503f62c650

SHA1
77389d8b559b7bf1831add49a288590a4b36bba5

SHA256
6223cb63fb3683aa4de29e9d9b440f18d42f8da190676335977e6dd679f9bc0e

SHA512
5d57fc0aaa942d3615f48317c151c0aff02757326ec5a4a24a7aac1968634a8b1c328a8469cfd85e0730f13e5c04ba41450612cffd6ca0117926e3a8c7de3219

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\page_component.ini

Filesize
1022B

MD5
49436dded4497895bb117195f4ec2d0e

SHA1
9cd3f8335ebaf5293d4242727bad7c1c76605e70

SHA256
095c03e07027fabba420a6efc964bfc665ac7370a497e02d38d4b787117c9db2

SHA512
19d0ce5cc7bba4526e7ab64e9d56b1342a4099cdfb8be3862213f7c1711418b38d6db9b588b88a3b2b20845f1da75d93cca105b06e77317b29a36e8d8b528af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\page_component.ini

Filesize
787B

MD5
75a65577d878c0238f7be2611246a061

SHA1
7858cbb53edef3a9f8e8ba5f95961fce883245cf

SHA256
58b69f563c8b84334e45884ff00c295fab7ce5b45bde2b8ffc4c4a74513645eb

SHA512
e64298cc12d9a780a4f67be9f7d869e730c3580c449cdd4e0756f339874dca12ccb5ac3d8c7f2a6afe6419505d84028442acaa55aaaded7ddd4497b13abcffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\page_component.ini

Filesize
890B

MD5
e66fa1230c94c4e33d33b55821b9ff09

SHA1
f983a036a3099e7846fbe680034f17d0f87e8140

SHA256
97f31ab4992ffda1c04ea9c61cc494fcd5e4f928b433a34ac835375fa69deedd

SHA512
032dff4891d32a02d0973cd73d4e90d35e27a48e197aa299b3e12bc94ba56a9c266c3b372e02ec78ff923874f550b2e3fcc5c86a736ebfba07469a44af4ea883

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\page_image.ini

Filesize
179B

MD5
f3d416b60fef530d540a93c285488063

SHA1
4298f54b5871d074e8fe2072058c14aee608e298

SHA256
ab0e85c019016106bc8a33f9eb85c5dc8febacf75e0502beb9e32f357137e8b6

SHA512
c11b9ba576ff8eb9ea63547314b4a972bf663ac6082052524b29e0717de8dcf922e520af580c651ee064d6ccda1343ddbe71370337630ceda81205a62ef70400

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC546.tmp\page_image.ini

Filesize
170B

MD5
41db72fe01a72dc908bdfea8b7d89556

SHA1
5bf1cfb48723169d8cd66316e2bf3372e4e0b1c3

SHA256
3c96fbb966b549a315bc63dfcbad3dcc2b1ebf154454437dbc5f99a7428af5e5

SHA512
c66ff7709abc8ceb4bda77e5e9eee6d8cfbcaf29e1495545a29da75458fc15e59230b26bd7e750fd2a966ca17f60b2ff92b44504c3b7bd601bbe996aeea9157d

Download Submit
C:\Windows\SysWOW64\mfc71.dll

Filesize
1.0MB

MD5
1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1
9a4faa258b375e173feaca91a8bd920baf1091eb

SHA256
385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

SHA512
109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
memory/956-240-0x0000000003200000-0x0000000003218000-memory.dmp

Filesize
96KB

Download
memory/956-45-0x0000000003D90000-0x0000000003E5C000-memory.dmp

Filesize
816KB

Download
memory/956-13-0x0000000073EE0000-0x0000000073F30000-memory.dmp

Filesize
320KB

Download
memory/956-16-0x0000000003200000-0x0000000003218000-memory.dmp

Filesize
96KB

Download
memory/956-17-0x0000000073EE1000-0x0000000073F07000-memory.dmp

Filesize
152KB

Download