Analysis Overview
SHA256
c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f
Threat Level: Known bad
The file 921b0badeaffee860310e6755769337e.dll was found to be: Known bad.
Malicious Activity Summary
Amadey family
Blocklisted process makes network request
Unsecured Credentials: Credentials In Files
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Reads local data of messenger clients
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 16:46
Signatures
Amadey family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 16:46
Reported
2024-10-27 16:48
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\039016743699_Desktop.zip' -CompressionLevel Optimal
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
Files
memory/2940-9-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2940-10-0x0000000002860000-0x0000000002868000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 16:46
Reported
2024-10-27 16:48
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 540 wrote to memory of 924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 540 wrote to memory of 924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 540 wrote to memory of 924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 924 wrote to memory of 1396 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 924 wrote to memory of 1396 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 924 wrote to memory of 1396 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 924 wrote to memory of 4444 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 924 wrote to memory of 4444 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\878641211696_Desktop.zip' -CompressionLevel Optimal
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/4444-3-0x00007FF989083000-0x00007FF989085000-memory.dmp
memory/4444-9-0x000002CEF4670000-0x000002CEF4692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhpetget.v3k.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4444-14-0x00007FF989080000-0x00007FF989B41000-memory.dmp
memory/4444-15-0x00007FF989080000-0x00007FF989B41000-memory.dmp
memory/4444-17-0x000002CEF47D0000-0x000002CEF47DA000-memory.dmp
memory/4444-16-0x000002CEF4B80000-0x000002CEF4B92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Files_\DisconnectExit.docx
| MD5 | 0959505c756e4a90411959af06976394 |
| SHA1 | d7e1c654e1ef0344963ca06a6ae76917ec0538b8 |
| SHA256 | 28a747f8f6f6ec46fd6431363a8b00f93089be6357c5cfa38691c86b6a761cce |
| SHA512 | 3820eeb7ba2ba0aa7bf24733ec589a9ca5a8509c11fc4b1e80c1ff1c7b96e14c6d2a20af497eb8d08bb0f2b930ff3ca4138004801a476557b7346189e109e25d |
C:\Users\Admin\AppData\Local\Temp\_Files_\GrantUnlock.xls
| MD5 | 707fc2f47604860e71d5cbe886950b02 |
| SHA1 | cadcfa7605c33bfd53e647c432e2428716e284f5 |
| SHA256 | f7f5c943f7e990e8e0e692e55a2a8dc324f41cbe61d2b010a05a2978ace1fd44 |
| SHA512 | d24f2c80ec9b9a9a77fd392f329f5006b047686de976b3e3b71d8f9809c95d6367b9c5529880e841625970430df82c263c288df7cef63c70dc5b79733f992de1 |
C:\Users\Admin\AppData\Local\Temp\_Files_\SubmitRequest.docx
| MD5 | b89c1d2b412036667bb4e4c0ceb87d4a |
| SHA1 | 2fa90985ab89b1629febe5ed836bfd55c4480943 |
| SHA256 | 67e7d9f4fca46cda56078ce3fa0ba374d8225b376a093e484abb858de2148cb9 |
| SHA512 | c717689bf796ff125912d9f30d7a763a11eb91bd9ab09b7201d687604f4cdba0cc1844c1bd7e26b2e3d9524ae1bf02d52319ee9519af0a0f357c120937c10e7e |
memory/4444-24-0x00007FF989080000-0x00007FF989B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\878641211696_Desktop.zip
| MD5 | 56e8420544e694270ae57df892290d70 |
| SHA1 | 33c724b071570991a40efeaaeaa7477ef56c81c4 |
| SHA256 | 8adfb8a9a9840c80dcdd4b448e8a7a9f0bceb495005aebebe37e9188c44bfebb |
| SHA512 | fa9a4c3f59eb998c92f92a3ba8020b18d654b552d9bcba4c50c52ca42c4a7e7b3c67c9c08ece14bbea7c0a2071de8ad624597225e3ddfae358e937ec96fbebbb |