532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203

General

Target

532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll
Size

1.2MB
MD5

6f25f0506bf49fe7f35686ed1f8fef4a
SHA1

e5596d4c2b924bc93755558e447d1a04d19efdfe
SHA256

532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203
SHA512

5d93f84c6d80430ee853e7ef20cce4235effc1ba49f860c358c16eaad1c762e74b67dd9aa4c7e1996b38da07c2c601ebdcaf8dba9d4b594c19b92db589ec18ae
SSDEEP

24576:Usd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1QhHAO:U3BHjh2OZ80ZzHIF85L

Score

8^/10

credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4080	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4336	netsh.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
2380	powershell.exe
2380	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4336	4080	rundll32.exe	82
PID 4080 wrote to memory of 4336	4080	rundll32.exe	82
PID 4080 wrote to memory of 2380	4080	rundll32.exe	84
PID 4080 wrote to memory of 2380	4080	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\089630652159_Desktop.zip' -CompressionLevel Optimal
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\089630652159_Desktop.zip

Filesize
47KB

MD5
bbb287ebf7be748e8b428b3e47d38bf9

SHA1
3f533805e590a3ae866f4122556cef3799020050

SHA256
7f5646bec18b5d9557d33c836a31f746e9669f8366a9b364ff9228bb31118a05

SHA512
3e407ce300c231e0746134a927c72f777222beba661bcfa3b49146797759f57a5db6d9b525d695b88d2f6ba579370d4f460dd578b0ea24a2fd6f7c80f5dccf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ExitExport.docx

Filesize
19KB

MD5
e8cc3141e4cfca6679406ceaf1b9c93b

SHA1
ed454db2c7caaf2205b376347c7bce564d449d6c

SHA256
aaa1f01d181eac5fc651094536ec41a458c10440553be65fb7e33ad3786d1e46

SHA512
aab51553461dcddeb12320783083c9443b28f7f86391e4e9e95541765839d14c9149fc3163d00b0e67eb55d058b604ccb5dd492b7b5d89a7dfb75e0de010ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\UndoTest.docx

Filesize
15KB

MD5
bd0f5a1668409719528f991603214418

SHA1
2f8f13163c838a6df23fa472244611279a3b725a

SHA256
c23c54a874c9b71992c7e5977f8c75dc71bf68a09f7cd38a0e13a2eb0e9d4f1f

SHA512
3ad9ed85dcd3e7ccb066bb984cc7e5bd7702f8c6ccaee7e21fc1d03e1c3a377ff05520f1861834bcb2eb6eefd684e87f8b211e9836607e3b5dae3ee6258256e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\WatchUnlock.docx

Filesize
20KB

MD5
a2dd39b668a0df6cf266b7446ff997e3

SHA1
1c7569b967f86a58665342e7d55663eeba4654e1

SHA256
6dfa3dbea1608c561467da0961fc76d4bc0d7dfc1763879b46274f8a80f34bcc

SHA512
9f502b713faf93544453397524ae6404aba66dddadc899855bc52e329afa7958bbd131f02ca708edf46269e6ef34bb8aceb88683a0f4735d81d4d80d4a30a438

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i30sx21e.nkb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2380-3-0x00007FFF47D23000-0x00007FFF47D25000-memory.dmp

Filesize
8KB

Download
memory/2380-4-0x000001FCF1E20000-0x000001FCF1E42000-memory.dmp

Filesize
136KB

Download
memory/2380-14-0x00007FFF47D20000-0x00007FFF487E1000-memory.dmp

Filesize
10.8MB

Download
memory/2380-15-0x00007FFF47D20000-0x00007FFF487E1000-memory.dmp

Filesize
10.8MB

Download
memory/2380-16-0x000001FCF2310000-0x000001FCF2322000-memory.dmp

Filesize
72KB

Download
memory/2380-17-0x000001FCEFC60000-0x000001FCEFC6A000-memory.dmp

Filesize
40KB

Download
memory/2380-24-0x00007FFF47D20000-0x00007FFF487E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads