4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486

General

Target

4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
Size

1.2MB
MD5

c7612ef960097ff466e641c7fe0cd5d3
SHA1

06849181c7ed4a8b44440f66583e6d1c11308916
SHA256

4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486
SHA512

f812f7d07b5977e09b56c1ed5deff4c7be4546627100a66bbebe1163a9d54634375686bcb0265b8c14384719e356202bc922119883bcc2f97b03c07714f7ba25
SSDEEP

24576:axYTyT6AMgQZvBHa726ZwccIIF1cV6n6zyYqOFzd6:fAMgQ7672swJIR06wb

Score

9^/10

credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

1 4464 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
1	4464	rundll32.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exe

pid process

4220 netsh.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exe

pid process

4464 rundll32.exe
4464 rundll32.exe
4464 rundll32.exe
4464 rundll32.exe
4464 rundll32.exe
4464 rundll32.exe
4464 rundll32.exe
4464 rundll32.exe

pid	process
4220	netsh.exe

pid	process
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4464 wrote to memory of 4220	4464	rundll32.exe	netsh.exe
PID 4464 wrote to memory of 4220	4464	rundll32.exe	netsh.exe
PID 4464 wrote to memory of 1056	4464	rundll32.exe	tar.exe
PID 4464 wrote to memory of 1056	4464	rundll32.exe	tar.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\netsh.exe
netsh wlan show profiles
2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4220

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\227988167281_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
2⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\227988167281_Desktop.tar

Filesize
28KB

MD5
39580f28be79acd51f9c239e036e4f5f

SHA1
fa54333df8b622aa0e40861ed6d3d04e63a4d881

SHA256
f8f5b8169893cb0403cfe555312090302f5f171efcc100945523773e38cae7e3

SHA512
24271b2c75ae6cd042b6f7e4618e19d2ffdcd23afc32e6cb931a7397cccc1af100a38f121a662af295e52b91c2be14eb375b5c18a04ecbb6a141e53f0dcda3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ConnectTest.docx

Filesize
13KB

MD5
6ae6496612714bb86e6e0a39ca398ddf

SHA1
dcbf8c8b39c7a658a2252b9eaf089be8d6d94880

SHA256
2b8bd23ae31234ba88728ff729a284c0af4e6559282056238cfba249f2d8f337

SHA512
27da1968569dcbd21670c0d63bf43a3218c74bb989499b9d2518b7379ebde9d13361c0ab6d556a2c65c33d5ebe9acf7133e621a7d6078623db5ff2c268c8b80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\PingResume.docx

Filesize
12KB

MD5
1085ee25be1a986929c18a7a201483f6

SHA1
9fe90f193b1642d4673032ccc6ded84e5fc6e203

SHA256
d1fedfb7e04f3aafc17f04e8c036968bd8dd9c51b75485837f2accb4ecf28798

SHA512
a290fba381b54e8fb6fc3d14b75b570ae254340cbe8879dd4f0f599fba57a574abeea98f69ea8e9ed101c58d7ad573254edb3c9a899df7a2e40115993cf537f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads