Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:41
Behavioral task
behavioral1
Sample
deff476e62bb3b38fd2e4cfe36c27e03e1b32ad9a540395f7b14de34acf6597bN.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
deff476e62bb3b38fd2e4cfe36c27e03e1b32ad9a540395f7b14de34acf6597bN.dll
Resource
win10v2004-20241007-en
General
-
Target
deff476e62bb3b38fd2e4cfe36c27e03e1b32ad9a540395f7b14de34acf6597bN.dll
-
Size
1.0MB
-
MD5
d63a3769fe739ab7165ac60b424d4c00
-
SHA1
bc3d6adc338a46efe8dee6e249a18762e6ad60c1
-
SHA256
deff476e62bb3b38fd2e4cfe36c27e03e1b32ad9a540395f7b14de34acf6597b
-
SHA512
e0d5beb10825ec7215adb28ec7df04f8447f51a053c030ce80192b04af458910618fe6eba520816dfef8dc3abf4cd3cfa1cbbcbeb561919f792c41ba91eb1014
-
SSDEEP
24576:IWBhVxYlZdJCTgmP/xEcCJnDOEl5woFNEa1mXu5iPajrVT1qn:IWBhPYrpoCpmX2pjXqn
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 4404 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
pid Process 2636 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 5008 netsh.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 2636 powershell.exe 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3568 wrote to memory of 4404 3568 rundll32.exe 82 PID 3568 wrote to memory of 4404 3568 rundll32.exe 82 PID 3568 wrote to memory of 4404 3568 rundll32.exe 82 PID 4404 wrote to memory of 5008 4404 rundll32.exe 83 PID 4404 wrote to memory of 5008 4404 rundll32.exe 83 PID 4404 wrote to memory of 5008 4404 rundll32.exe 83 PID 4404 wrote to memory of 2636 4404 rundll32.exe 85 PID 4404 wrote to memory of 2636 4404 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deff476e62bb3b38fd2e4cfe36c27e03e1b32ad9a540395f7b14de34acf6597bN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deff476e62bb3b38fd2e4cfe36c27e03e1b32ad9a540395f7b14de34acf6597bN.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\089630652159_Desktop.zip' -CompressionLevel Optimal3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5b32063a59f9c70281838b4e07ad17240
SHA168d3e021384e55163e05d8e4ae9df8b822d7ab3f
SHA25635a453e64165cf43601168011f632516c11907be0add95eae956a726b5170fb8
SHA512f026c1209b4c05e05285f720f78642897ecefcd4f63084a2373ae53a6dc94d113fef94b009b8a1aacd67eb34278a039b134441e14065a954b19647c8f96d5666
-
Filesize
15KB
MD5cf4d2c28916f1826d06b06aaa811ca44
SHA1b974dc87783c63dfb3f7cf0eee6b78ff7dd112d6
SHA256383cd7a41c532efacd73e12b494713ec322a0497af260ccca73ea368eb3323b0
SHA51251db45591612b9951fb5762b7b6d78d53eae8a370c41923ad3f70ff63cbb819020ecda1a1cb27302c50fbc68950d6b3b962791eb45e44212436a53e50453038c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82