Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 16:46
Behavioral task
behavioral1
Sample
921b0badeaffee860310e6755769337e.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
921b0badeaffee860310e6755769337e.dll
Resource
win10v2004-20241007-en
General
-
Target
921b0badeaffee860310e6755769337e.dll
-
Size
1.0MB
-
MD5
921b0badeaffee860310e6755769337e
-
SHA1
cfe2dfe5f457383e1723e4423e78620cc9fa8f91
-
SHA256
c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f
-
SHA512
2035442326a8e1f9733fef189cd135ce7b2dd22deda62d74e99ffd7eb83413487b91d72dba47f5512e4adcd45998ff5680a4b75342bba4c43d34186eacce1120
-
SSDEEP
24576:KNFxrUgNQWcPb72kXGWjVcwBlTd8DKT/VSMsCdTzHpgaym9:KNFxogmf2scG1Tzcm9
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2636 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
pid Process 2940 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2124 netsh.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 2940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2940 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2636 2032 rundll32.exe 30 PID 2032 wrote to memory of 2636 2032 rundll32.exe 30 PID 2032 wrote to memory of 2636 2032 rundll32.exe 30 PID 2032 wrote to memory of 2636 2032 rundll32.exe 30 PID 2032 wrote to memory of 2636 2032 rundll32.exe 30 PID 2032 wrote to memory of 2636 2032 rundll32.exe 30 PID 2032 wrote to memory of 2636 2032 rundll32.exe 30 PID 2636 wrote to memory of 2124 2636 rundll32.exe 31 PID 2636 wrote to memory of 2124 2636 rundll32.exe 31 PID 2636 wrote to memory of 2124 2636 rundll32.exe 31 PID 2636 wrote to memory of 2124 2636 rundll32.exe 31 PID 2636 wrote to memory of 2940 2636 rundll32.exe 35 PID 2636 wrote to memory of 2940 2636 rundll32.exe 35 PID 2636 wrote to memory of 2940 2636 rundll32.exe 35 PID 2636 wrote to memory of 2940 2636 rundll32.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\039016743699_Desktop.zip' -CompressionLevel Optimal3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1