908942a0607243b70ff999620a3caecd6b2b93dc26cd93903c6d6e070a30851a

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 08:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

908942a0607243b70ff999620a3caecd6b2b93dc26cd93903c6d6e070a30851a.dll
Size

103KB
MD5

41cd666ed61e5e400197ab099968bbd0
SHA1

2a4789815cc2a886a67f6b1b385d96ae679d2dbf
SHA256

908942a0607243b70ff999620a3caecd6b2b93dc26cd93903c6d6e070a30851a
SHA512

513415ea24de0c66256da432148d29440fd84ea24e6af937f9c2c7f8191395d825cf2c9fc5d9c2282c9e28e5224a3af1a2c0de4a5345ce239689180269b54a93
SSDEEP

1536:IhCZFcsifjE0SJIB/6pCypfoe6WH/vxUyVPA:IhHsio0tBGCzo5U6PA

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FRW = "C:\\Windows\\lHHFtIaX.exe"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\SysWOW64\regedit.exe	rundll32.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe.tmp	rundll32.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe.tmp	rundll32.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe.tmp	rundll32.exe
File created	\??\c:\Program Files\Windows Media Player\wmplayer.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Media Player\wmplayer.exe	rundll32.exe
File created	\??\c:\Program Files (x86)\Windows Media Player\wmplayer.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	rundll32.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	rundll32.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe.tmp	rundll32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\notepad.exe	rundll32.exe
File created	\??\c:\Windows\regedit.exe.tmp	rundll32.exe
File opened for modification	C:\Windows\lHHFtIaX.exe	rundll32.exe
File created	\??\c:\Windows\hh.exe.tmp	rundll32.exe
File opened for modification	\??\c:\Windows\hh.exe	rundll32.exe
File created	\??\c:\Windows\notepad.exe.tmp	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
884	rundll32.exe
884	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 884	816	rundll32.exe	27
PID 816 wrote to memory of 884	816	rundll32.exe	27
PID 816 wrote to memory of 884	816	rundll32.exe	27
PID 816 wrote to memory of 884	816	rundll32.exe	27
PID 816 wrote to memory of 884	816	rundll32.exe	27
PID 816 wrote to memory of 884	816	rundll32.exe	27
PID 816 wrote to memory of 884	816	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\908942a0607243b70ff999620a3caecd6b2b93dc26cd93903c6d6e070a30851a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\908942a0607243b70ff999620a3caecd6b2b93dc26cd93903c6d6e070a30851a.dll,#1
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/884-56-0x0000000001B40000-0x0000000001B8C000-memory.dmp

Filesize
304KB

Download