Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 20:11
Behavioral task
behavioral1
Sample
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
Resource
win11-20240802-en
General
-
Target
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
-
Size
1.2MB
-
MD5
c7612ef960097ff466e641c7fe0cd5d3
-
SHA1
06849181c7ed4a8b44440f66583e6d1c11308916
-
SHA256
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486
-
SHA512
f812f7d07b5977e09b56c1ed5deff4c7be4546627100a66bbebe1163a9d54634375686bcb0265b8c14384719e356202bc922119883bcc2f97b03c07714f7ba25
-
SSDEEP
24576:axYTyT6AMgQZvBHa726ZwccIIF1cV6n6zyYqOFzd6:fAMgQ7672swJIR06wb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 1 3952 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exepid process 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exedescription pid process target process PID 3952 wrote to memory of 3248 3952 rundll32.exe netsh.exe PID 3952 wrote to memory of 3248 3952 rundll32.exe netsh.exe PID 3952 wrote to memory of 3088 3952 rundll32.exe tar.exe PID 3952 wrote to memory of 3088 3952 rundll32.exe tar.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll,#11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\netsh.exenetsh wlan show profiles2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3248 -
C:\Windows\system32\tar.exetar.exe -cf "C:\Users\Admin\AppData\Local\Temp\194130065347_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"2⤵PID:3088
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5116acde3414a810352a04978667b97da
SHA19496bded747c189de2535015fd69c25f3552f42a
SHA2562230d68164f401bb6a8ba774c4f62456516d8807bcd7bcb9b03cfdf36591de36
SHA512494ffcef1536eb886f056b727c5a2570ffeea1f5bdd75672b8229494c0694f926a3bb6e7276555bfb019f0660398928ef3585a00e0fce8cfbe67044307d04df5
-
Filesize
13KB
MD5b60a1e3662697c3172eaa3d3a6d0e76c
SHA122e38768bc769e883357b4984640f4a8999bd346
SHA256482aea2d3180cc35088a951301a5b42ccfb1cb8e0fa7bed0db27ca5bde3f41e9
SHA5121a87b61372b2ae27ac38d36fa6d542491dab244308a206083f14ef7a03f7f948e4e39e6a1bdd124717058b42d132265c54d76002297d1934cef386c3349856d5
-
Filesize
17KB
MD573a91900ecce74d821922acca9f39c45
SHA1307369562ad6d9c76ae89fec02f6daf00359d478
SHA256a1a8aa86037b4baab70c1b495c75e52c50f2a6327d05fe82749049e6e046bc0d
SHA512755c72d7c6e31e5e87cdf01fa596ccf4b292b3759ba146a29780a975a1758a2564da212f4f5620cd77a0e408b57747aef4a121be6b0f4d408ac27b7f677e6329
-
Filesize
11KB
MD5490fb0aa8765e75d6d426da3a8d8e066
SHA13bc7fdeac986632edbf0b4165b5469e4feae2b56
SHA2564031e58576f590b9bbb481e7d9ed72966a4254c4deed8bca2ed53290eb1cd458
SHA51231293ea4c5da332daa89c45dab4fb7cfe1420e2f5ed3f246800815ff7256232d38a1a66cb48ff5aeb5e1d6832993ed43863fb8b74e8ffbd02744803ddacbddb1