532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203

General

Target

cred64.dll
Size

1.2MB
MD5

6f25f0506bf49fe7f35686ed1f8fef4a
SHA1

e5596d4c2b924bc93755558e447d1a04d19efdfe
SHA256

532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203
SHA512

5d93f84c6d80430ee853e7ef20cce4235effc1ba49f860c358c16eaad1c762e74b67dd9aa4c7e1996b38da07c2c601ebdcaf8dba9d4b594c19b92db589ec18ae
SSDEEP

24576:Usd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1QhHAO:U3BHjh2OZ80ZzHIF85L

Score

8^/10

credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1348	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4944	netsh.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 4944	1348	rundll32.exe	83
PID 1348 wrote to memory of 4944	1348	rundll32.exe	83
PID 1348 wrote to memory of 4884	1348	rundll32.exe	85
PID 1348 wrote to memory of 4884	1348	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred64.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045960512394_Desktop.zip' -CompressionLevel Optimal
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\045960512394_Desktop.zip

Filesize
45KB

MD5
08b53b97fc683fb9c8fc39e90a3e6308

SHA1
2c8d9e87036ce7e8aca02457a532dc72b4721f11

SHA256
250c0ea39908432a761b7d4b23054d0f86f19e0b8619c48974a35400db4cf84c

SHA512
faba06aef9a3df05b72f4f833bf45570445b52211984119a84cc3f130ca9963a29fd1f5b5760a862049347953384083b306e9b575f1c82b529433c861e5c5934

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ApproveCheckpoint.xlsx

Filesize
10KB

MD5
53210cd7a64acbf7cc62a82d09538f04

SHA1
1973827d23c9bb07c0e288b79ff35bfb7836d052

SHA256
acd6cb3b3dcf2f92e7ee3d126e83914195002c56ae9e963f782954bbf026947d

SHA512
d3035a72cc097ac17d0b600df2451f24b6be16f00e61ab91ce28ca11d04d41069e3f845eebb8bc1bf327bf46d42238d90be522a0fdfbb822a62402a6a47ab4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ExportAssert.xlsx

Filesize
13KB

MD5
31dc154a984d2ed1c26be88b7029d18c

SHA1
32bada40826ea16746c434c4c6583c06c3862423

SHA256
0af4a43380e9be33a239975810482819fa0a37a763de298f7282bac1ebe35a6c

SHA512
72051e7fab0bdc3e03bd2d00e63be01d26198c87c218d1bfe81a598064fbf61a3924f2704331d1962ab7f5580fe71246c0ef0df60bec5d13d23adace3e86f5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\SaveSet.docx

Filesize
16KB

MD5
6d96c8e1c60d55a2fa1f4cfd6a27ccb8

SHA1
ca641e20a3ae582c5c58ee2ae23d1318b1ff97c9

SHA256
27aa0939b0b07efb7aad7ec34beb75b888e5fb576c8c02ae149464297947cffd

SHA512
537235a90fb03a9765e6e6897a9fdacfbe58e9fdeae6d676541bd4494d8cde4ceba234acaef91d42a572c2901db8b3b0ebf3ed09d585012a99889c0de90a096f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\SearchRestore.docx

Filesize
14KB

MD5
fae5bacc9277a092568106267a49eda8

SHA1
ecc7c8b72de95ebaaf4864044421d6ce382fa5d5

SHA256
89da47db07832a930f9e8e195e0a894625ef24132656eb7d4eabcb196214028c

SHA512
435317ee7b5fcc17ce9f126d4156238c2c4f5a1ebe97dc1f82b54fc38aef3933d7716ccebe30bf694b10629422fe586297410d9c5f1a1bee2d655d382a692b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1onugd3j.ts0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4884-15-0x00007FFB49390000-0x00007FFB49E51000-memory.dmp

Filesize
10.8MB

Download
memory/4884-17-0x0000024F67D00000-0x0000024F67D12000-memory.dmp

Filesize
72KB

Download
memory/4884-18-0x0000024F67C60000-0x0000024F67C6A000-memory.dmp

Filesize
40KB

Download
memory/4884-16-0x00007FFB49390000-0x00007FFB49E51000-memory.dmp

Filesize
10.8MB

Download
memory/4884-4-0x00007FFB49393000-0x00007FFB49395000-memory.dmp

Filesize
8KB

Download
memory/4884-26-0x00007FFB49390000-0x00007FFB49E51000-memory.dmp

Filesize
10.8MB

Download
memory/4884-14-0x0000024F67C70000-0x0000024F67C92000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads