b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35

General

Target

b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35.dll
Size

1.2MB
MD5

c6aabb27450f1a9939a417e86bf53217
SHA1

b8ef3bb7575139fd6997379415d7119e452b5fc4
SHA256

b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35
SHA512

e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944
SSDEEP

24576:BO//kL3TtMhQsnoXyajMK8fCZEqcAxQBuLv8YPKpTG:z3pMhQzRM3MfcAxHv8t

Score

8^/10

credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3440	rundll32.exe
6	3440	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2432	netsh.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 2432	3440	rundll32.exe	83
PID 3440 wrote to memory of 2432	3440	rundll32.exe	83
PID 3440 wrote to memory of 4884	3440	rundll32.exe	85
PID 3440 wrote to memory of 4884	3440	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip

Filesize
40KB

MD5
3a8cf670b13441be809c2556f5242679

SHA1
fa9c5c8bae136ca1e2da25a44e6377727089d76c

SHA256
a14c8e54d6e7f86ac610f9cb04e8e9d23ab7717310731d9dd2c635d11b0e78db

SHA512
4d1d69c851f120aeab66eeb29820fe1284ffac71e04bb49d178e8883028db15595b13834bc8f3d90a832cafa33b70c760957e1022dfb1fc5ecab39663ea35fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\CompressInitialize.docx

Filesize
18KB

MD5
371051fcf52526e4aa1a26285bb53048

SHA1
dbf519ab324843361029478790560e06fff476e7

SHA256
bad9015db6df2673f57af417c1b0b9d3a1c9554ac6b88e942813371b7e27e5eb

SHA512
1f5f80af7a15f30c15a194200135fe8b5c2efb539c7cb58de21554fe478c5582ceb280a111733845f437b38c6f66f564b7f1689c4d41c0a907f43db1463c9b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\PublishRevoke.xlsx

Filesize
11KB

MD5
e7ab3b40eccae0b582921161f601b44e

SHA1
74f9a12efd3d4f95ad590348cb7c3cb8a1187162

SHA256
aa304719cc5a16bf9f0c26c6f425d1587c7c37cbb0730b4440837184ca3142c4

SHA512
d779b25c6acfbff34470384fdad88270ac44418a529fba823c9849eb0c1dbecc8f8f7eddbfb49c701e50f84db739050af000a24274074046a1a78b070d349a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ShowMerge.docx

Filesize
17KB

MD5
065c6a01722db03bb6347bb2fd7d768a

SHA1
32caff17abc78f128cc11cdf84546a62e76c36bb

SHA256
c265a96e6ba51a6e162f6378dda2accb3b5cf11a3998114fcd5dc9a4ef2c0e00

SHA512
32f82821209610a46a25ff2d0a35566242043554b6bf21e7bd7d8e819de2fce16f947764daaedaf875570e3c9de8166ebb6f73f6f75f542a608d3ec0f346af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eujhbw0w.mom.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4884-3-0x00007FFEEE033000-0x00007FFEEE035000-memory.dmp

Filesize
8KB

Download
memory/4884-4-0x000002AEF6D70000-0x000002AEF6D92000-memory.dmp

Filesize
136KB

Download
memory/4884-14-0x00007FFEEE030000-0x00007FFEEEAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-15-0x00007FFEEE030000-0x00007FFEEEAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-16-0x000002AEF7260000-0x000002AEF7272000-memory.dmp

Filesize
72KB

Download
memory/4884-17-0x000002AEF6EE0000-0x000002AEF6EEA000-memory.dmp

Filesize
40KB

Download
memory/4884-24-0x00007FFEEE030000-0x00007FFEEEAF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads