88edb9fd9a15da9b29671b79314a83a26622102dd69fe82bc5fdda3abbfb73f6

General
Target

88edb9fd9a15da9b29671b79314a83a26622102dd69fe82bc5fdda3abbfb73f6.dll

Filesize

274KB

Completed

26-09-2021 13:17

Score
7 /10
MD5

8f5524d454be8615579d44504d038061

SHA1

f71457d914864ba35a20ad6cbc7554bd3213f8aa

SHA256

88edb9fd9a15da9b29671b79314a83a26622102dd69fe82bc5fdda3abbfb73f6

Malware Config
Signatures 3

Filter: none

Collection
Credential Access
Persistence
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Creates scheduled task(s)
    schtasks.exeschtasks.exeschtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1540schtasks.exe
    1764schtasks.exe
    1492schtasks.exe
    1116schtasks.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 844 wrote to memory of 1324844rundll32.exerundll32.exe
    PID 844 wrote to memory of 1324844rundll32.exerundll32.exe
    PID 844 wrote to memory of 1324844rundll32.exerundll32.exe
    PID 844 wrote to memory of 1324844rundll32.exerundll32.exe
    PID 844 wrote to memory of 1324844rundll32.exerundll32.exe
    PID 844 wrote to memory of 1324844rundll32.exerundll32.exe
    PID 844 wrote to memory of 1324844rundll32.exerundll32.exe
    PID 1324 wrote to memory of 14921324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 14921324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 14921324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 14921324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 11161324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 11161324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 11161324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 11161324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 15401324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 15401324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 15401324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 15401324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 17641324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 17641324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 17641324rundll32.exeschtasks.exe
    PID 1324 wrote to memory of 17641324rundll32.exeschtasks.exe
Processes 6
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\88edb9fd9a15da9b29671b79314a83a26622102dd69fe82bc5fdda3abbfb73f6.dll,#1
    Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\88edb9fd9a15da9b29671b79314a83a26622102dd69fe82bc5fdda3abbfb73f6.dll,#1
      Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONSTART /TN s74t /TR "'C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\vcredist2019_x64_002_vcRuntimeAdditional_x64Nu.exe'" /f
        Creates scheduled task(s)
        PID:1492
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONSTART /TN s74t /TR "'C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\vcredist2019_x64_002_vcRuntimeAdditional_x64Nu.exe'" /f /RL HIGHEST
        Creates scheduled task(s)
        PID:1116
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONCE /ST 13:18:10 /TN WMg4J3bT /TR "'C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\vcredist2019_x64_002_vcRuntimeAdditional_x64Nu.exe'" /f
        Creates scheduled task(s)
        PID:1540
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONCE /ST 13:18:10 /TN WMg4J3bT /TR "'C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\vcredist2019_x64_002_vcRuntimeAdditional_x64Nu.exe'" /f /RL HIGHEST
        Creates scheduled task(s)
        PID:1764
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1116-60-0x0000000000000000-mapping.dmp

                    • memory/1324-53-0x0000000000000000-mapping.dmp

                    • memory/1324-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

                    • memory/1324-55-0x00000000001F0000-0x0000000000238000-memory.dmp

                    • memory/1492-59-0x0000000000000000-mapping.dmp

                    • memory/1540-61-0x0000000000000000-mapping.dmp

                    • memory/1764-62-0x0000000000000000-mapping.dmp