Analysis
-
max time kernel
110s -
max time network
126s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
06-08-2024 20:11
Behavioral task
behavioral1
Sample
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
Resource
win11-20240802-en
General
-
Target
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll
-
Size
1.2MB
-
MD5
c7612ef960097ff466e641c7fe0cd5d3
-
SHA1
06849181c7ed4a8b44440f66583e6d1c11308916
-
SHA256
4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486
-
SHA512
f812f7d07b5977e09b56c1ed5deff4c7be4546627100a66bbebe1163a9d54634375686bcb0265b8c14384719e356202bc922119883bcc2f97b03c07714f7ba25
-
SSDEEP
24576:axYTyT6AMgQZvBHa726ZwccIIF1cV6n6zyYqOFzd6:fAMgQ7672swJIR06wb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 1 4464 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exepid process 4464 rundll32.exe 4464 rundll32.exe 4464 rundll32.exe 4464 rundll32.exe 4464 rundll32.exe 4464 rundll32.exe 4464 rundll32.exe 4464 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exedescription pid process target process PID 4464 wrote to memory of 4220 4464 rundll32.exe netsh.exe PID 4464 wrote to memory of 4220 4464 rundll32.exe netsh.exe PID 4464 wrote to memory of 1056 4464 rundll32.exe tar.exe PID 4464 wrote to memory of 1056 4464 rundll32.exe tar.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486.dll,#11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\system32\netsh.exenetsh wlan show profiles2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4220 -
C:\Windows\system32\tar.exetar.exe -cf "C:\Users\Admin\AppData\Local\Temp\227988167281_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"2⤵PID:1056
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD539580f28be79acd51f9c239e036e4f5f
SHA1fa54333df8b622aa0e40861ed6d3d04e63a4d881
SHA256f8f5b8169893cb0403cfe555312090302f5f171efcc100945523773e38cae7e3
SHA51224271b2c75ae6cd042b6f7e4618e19d2ffdcd23afc32e6cb931a7397cccc1af100a38f121a662af295e52b91c2be14eb375b5c18a04ecbb6a141e53f0dcda3fb
-
Filesize
13KB
MD56ae6496612714bb86e6e0a39ca398ddf
SHA1dcbf8c8b39c7a658a2252b9eaf089be8d6d94880
SHA2562b8bd23ae31234ba88728ff729a284c0af4e6559282056238cfba249f2d8f337
SHA51227da1968569dcbd21670c0d63bf43a3218c74bb989499b9d2518b7379ebde9d13361c0ab6d556a2c65c33d5ebe9acf7133e621a7d6078623db5ff2c268c8b80e
-
Filesize
12KB
MD51085ee25be1a986929c18a7a201483f6
SHA19fe90f193b1642d4673032ccc6ded84e5fc6e203
SHA256d1fedfb7e04f3aafc17f04e8c036968bd8dd9c51b75485837f2accb4ecf28798
SHA512a290fba381b54e8fb6fc3d14b75b570ae254340cbe8879dd4f0f599fba57a574abeea98f69ea8e9ed101c58d7ad573254edb3c9a899df7a2e40115993cf537f0