Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-02-2021 02:13
Behavioral task
behavioral1
Sample
stealer.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
stealer.dll
-
Size
5.2MB
-
MD5
3a4299537272d8671d85c99c17918e99
-
SHA1
93ff8577a13146091e40349fa523a6f54bd5fa2a
-
SHA256
83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43
-
SHA512
29011d41fdfc35cf3a4fe84fc08536bf1aa2afae2954227c58c53bbd922dcbfe256c43844e4153b56888f0e648dc57ad25d9bf15abe0dfb5796c2276b2ff1d28
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1440 RUNDLL32.EXE 4 1440 RUNDLL32.EXE 5 1440 RUNDLL32.EXE 6 1440 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1272 rundll32.exe Token: SeDebugPrivilege 1440 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1924 wrote to memory of 1272 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1272 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1272 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1272 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1272 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1272 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1272 1924 rundll32.exe rundll32.exe PID 1272 wrote to memory of 1440 1272 rundll32.exe RUNDLL32.EXE PID 1272 wrote to memory of 1440 1272 rundll32.exe RUNDLL32.EXE PID 1272 wrote to memory of 1440 1272 rundll32.exe RUNDLL32.EXE PID 1272 wrote to memory of 1440 1272 rundll32.exe RUNDLL32.EXE PID 1272 wrote to memory of 1440 1272 rundll32.exe RUNDLL32.EXE PID 1272 wrote to memory of 1440 1272 rundll32.exe RUNDLL32.EXE PID 1272 wrote to memory of 1440 1272 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\stealer.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\stealer.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\stealer.dll,Mx0WXKnWAIg=3⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1272-2-0x0000000000000000-mapping.dmp
-
memory/1272-3-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1272-4-0x0000000074F10000-0x00000000750B3000-memory.dmpFilesize
1.6MB
-
memory/1440-5-0x0000000000000000-mapping.dmp
-
memory/1440-7-0x0000000074D60000-0x0000000074F03000-memory.dmpFilesize
1.6MB