4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486

General

Target

4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
Size

1.2MB
MD5

c7612ef960097ff466e641c7fe0cd5d3
SHA1

06849181c7ed4a8b44440f66583e6d1c11308916
SHA256

4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486
SHA512

f812f7d07b5977e09b56c1ed5deff4c7be4546627100a66bbebe1163a9d54634375686bcb0265b8c14384719e356202bc922119883bcc2f97b03c07714f7ba25
SSDEEP

24576:axYTyT6AMgQZvBHa726ZwccIIF1cV6n6zyYqOFzd6:fAMgQ7672swJIR06wb

Score

9^/10

credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

1 3952 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
1	3952	rundll32.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exe

pid process

3248 netsh.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exe

pid process

3952 rundll32.exe
3952 rundll32.exe
3952 rundll32.exe
3952 rundll32.exe
3952 rundll32.exe
3952 rundll32.exe
3952 rundll32.exe
3952 rundll32.exe

pid	process
3248	netsh.exe

pid	process
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3952 wrote to memory of 3248	3952	rundll32.exe	netsh.exe
PID 3952 wrote to memory of 3248	3952	rundll32.exe	netsh.exe
PID 3952 wrote to memory of 3088	3952	rundll32.exe	tar.exe
PID 3952 wrote to memory of 3088	3952	rundll32.exe	tar.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\system32\netsh.exe
netsh wlan show profiles
2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3248

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\194130065347_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
2⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\194130065347_Desktop.tar

Filesize
46KB

MD5
116acde3414a810352a04978667b97da

SHA1
9496bded747c189de2535015fd69c25f3552f42a

SHA256
2230d68164f401bb6a8ba774c4f62456516d8807bcd7bcb9b03cfdf36591de36

SHA512
494ffcef1536eb886f056b727c5a2570ffeea1f5bdd75672b8229494c0694f926a3bb6e7276555bfb019f0660398928ef3585a00e0fce8cfbe67044307d04df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\AssertResume.docx

Filesize
13KB

MD5
b60a1e3662697c3172eaa3d3a6d0e76c

SHA1
22e38768bc769e883357b4984640f4a8999bd346

SHA256
482aea2d3180cc35088a951301a5b42ccfb1cb8e0fa7bed0db27ca5bde3f41e9

SHA512
1a87b61372b2ae27ac38d36fa6d542491dab244308a206083f14ef7a03f7f948e4e39e6a1bdd124717058b42d132265c54d76002297d1934cef386c3349856d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\PingDeny.docx

Filesize
17KB

MD5
73a91900ecce74d821922acca9f39c45

SHA1
307369562ad6d9c76ae89fec02f6daf00359d478

SHA256
a1a8aa86037b4baab70c1b495c75e52c50f2a6327d05fe82749049e6e046bc0d

SHA512
755c72d7c6e31e5e87cdf01fa596ccf4b292b3759ba146a29780a975a1758a2564da212f4f5620cd77a0e408b57747aef4a121be6b0f4d408ac27b7f677e6329

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\RedoGrant.xlsx

Filesize
11KB

MD5
490fb0aa8765e75d6d426da3a8d8e066

SHA1
3bc7fdeac986632edbf0b4165b5469e4feae2b56

SHA256
4031e58576f590b9bbb481e7d9ed72966a4254c4deed8bca2ed53290eb1cd458

SHA512
31293ea4c5da332daa89c45dab4fb7cfe1420e2f5ed3f246800815ff7256232d38a1a66cb48ff5aeb5e1d6832993ed43863fb8b74e8ffbd02744803ddacbddb1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads