Overview

overview

10

Static

static

10

adb2d6d946...b3.dll

windows7-x64

8

adb2d6d946...b3.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adb2d6d946f39976de3f5b99d86eb94d8e4345312cc89e010f0851180a7f18b3.dll

  • Size

    1.0MB

  • MD5

    dd6043fc837d2f087612f35a2553c6c9

  • SHA1

    3d663f1323c2999f48fdfbc56b979d71b3e96687

  • SHA256

    adb2d6d946f39976de3f5b99d86eb94d8e4345312cc89e010f0851180a7f18b3

  • SHA512

    762233e908e32f457539055da920812dd175ce83a1ccaa7a1ae32a10023bd96c28e98d073064564b3f5f054ade74792cd0c7311bf5c0025eed21b1cbc9263889

  • SSDEEP

    24576:IWBhVxYlZdJCTgmP/xEcCJnDOEl5woFNEa1mXu5iPajrVT1qnD:IWBhPYrpoCpmX2pjXqnD

Score
8/10
credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb2d6d946f39976de3f5b99d86eb94d8e4345312cc89e010f0851180a7f18b3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb2d6d946f39976de3f5b99d86eb94d8e4345312cc89e010f0851180a7f18b3.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profiles
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:3912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\409013623608_Desktop.zip' -CompressionLevel Optimal
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\409013623608_Desktop.zip
    Filesize

    47KB

    MD5

    984d25a506b8e5e290adba4241fa851b

    SHA1

    d150f635cd572e1e2aa57a3932f077744f155e24

    SHA256

    8651d7e02aafc99c601b6507d3ef28df5fda8742a296ddc5942fb310a9de73cf

    SHA512

    29692313abef99c3da0c91a5db8ae80cdcda3970c8afc8c9a9df88778c1cb39410c29a447650176aa19d9caceec182a3493c60a0a63c9980dd75328196de9699

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Files_\BlockOptimize.xlsx
    Filesize

    9KB

    MD5

    ad7f62b8f997496ef5cb1231975c803f

    SHA1

    96c139d431619fb72a2e35825f27ed1bd3cf9cd5

    SHA256

    0a8f17d3187dc4f45c1e3fe80cd9cbc3269441883e1359b5a6cbb6ee98ff4978

    SHA512

    e7f8a070ed56ffc8c91cfcd169c7d87964c2d9a52aaad3cca136b6b910740c3a391e21bd19fdca3c9595b48213c56c8322bca1fd814b7a1b9e27be3973bbecb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Files_\HidePop.xlsx
    Filesize

    10KB

    MD5

    4bd6765e083b34417a2a43a376d15705

    SHA1

    fbbcf1d06a5d945f1d94ca8dc3330a86ceaa30c5

    SHA256

    2e4753de57e63feba39f7d48388c96030df0a8a6a33976d7ea223011574990bd

    SHA512

    efc073b2bdd2aff2f4f3f1d9a07baca52dd33975bbe7ac37be94d21ae628449a8db55c6386be4a184d9029919e10b08725a6aaae41d82090aa63e33d3f7d35df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Files_\NewUse.docx
    Filesize

    19KB

    MD5

    fe4a723a7e0845afa11ca361400564d9

    SHA1

    538afe9b8d8813909ae6eeed6de746fc9a456682

    SHA256

    defe5d5f8354ca67c8ba9b4c0b6bdcc4178219081c28c25ec67ca39b173caf4c

    SHA512

    2640a15b02738e075c812bf6bea1446e152ae173f57cb6abc0bba6be96a9914fdb64f8adf3eb3330ca7fc63da9b8b1d6df3a28e7f59c384ac23290d01dcb3fc2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Files_\RenamePublish.docx
    Filesize

    16KB

    MD5

    8b2f9e4f90171fd0c9036be891d3fbe3

    SHA1

    d6d8190729c2c6c6a26da0d4796d7b743da8862a

    SHA256

    244891761f7b3bf26d623bf5ccf3fd73d684d13c634e0667c96eebce76b834b6

    SHA512

    bae33a9584fcaec368b53eb2610061ab57b426b109f93936e098feffb72cc39f40db598c1763260d26b3f8a726705c8e7f7286302c45769b10437694f27a4f5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atiu4igd.cub.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4948-15-0x00007FF8468F0000-0x00007FF8473B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4948-18-0x000001EC38E00000-0x000001EC38E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4948-17-0x000001EC50F80000-0x000001EC50F92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4948-16-0x00007FF8468F0000-0x00007FF8473B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4948-4-0x00007FF8468F3000-0x00007FF8468F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4948-26-0x00007FF8468F0000-0x00007FF8473B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4948-5-0x000001EC38DB0000-0x000001EC38DD2000-memory.dmp

    Filesize

    136KB

    Download