Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 05:37

General

  • Target

    cred64.dll

  • Size

    1.2MB

  • MD5

    d862c12a4467ebae581a8c0cc3ea2211

  • SHA1

    9e797375b9b4422b2314d3e372628643ccf1c5db

  • SHA256

    47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d

  • SHA512

    cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c

  • SSDEEP

    24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred64.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:1396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\089630652159_Desktop.zip' -CompressionLevel Optimal
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\089630652159_Desktop.zip

    Filesize

    44KB

    MD5

    6e906189903cb52c1ae65d23a5519d5a

    SHA1

    9a4389efab359a9ca07520d242500c8ae43fb359

    SHA256

    90b218af0466d742e11de9a7d86060cebec7fb022d5c144d6fcacde4f65f3cb6

    SHA512

    8f43c6265aa9c7cbe500e13755e3300a3172a027489e8c1fbfb47483a1195d9f009630c9bcaf481dc7e36010a7c1c8f0aa9d79e3b428f6eb3fa4fcd841fcb100

  • C:\Users\Admin\AppData\Local\Temp\_Files_\ApproveMerge.docx

    Filesize

    13KB

    MD5

    0d1b70fbbce81a2ade65547137b6ad78

    SHA1

    d6f26f9f6368705d3455303f112744fda4c343a6

    SHA256

    332a288cdbaeceaf1dea244e7b671f7af0bd2d9705a5c1068954596700233342

    SHA512

    36c2eac78d52305c475a69c6d13d60ad2f903e6d9903d207d0998cac141ac70d7d762d9488bd44231e8076f601f3393fa8ad9e2f98aed08c2a8e98152da87abe

  • C:\Users\Admin\AppData\Local\Temp\_Files_\DebugProtect.xlsx

    Filesize

    14KB

    MD5

    b34eb42243a83ef8847574680c15e30b

    SHA1

    7862cd0ffaeb4ebe91f2752043d752a7ab18d470

    SHA256

    b08cb40b87301d92da8096bbad9b185962fd77f56c89fb5ddd59c63143306ad8

    SHA512

    5432fa065376cbe2092d11816cefe39d8e2bd41542daa2ce4ec9a62f0bd6fc7e2664b1d550dab531dc037e2d093347aaed5a3d711c94eb65e453a6f7c193812d

  • C:\Users\Admin\AppData\Local\Temp\_Files_\StepInvoke.xlsx

    Filesize

    11KB

    MD5

    f7b7516669f775dd6306cd2880b3f899

    SHA1

    a055e8224af1b02fb34f5dbf21e826b60c3fa475

    SHA256

    8bfe40011585ec8cd103a10b8d7cf33fd82d1989427dc8fbfff0533f18d2ea4d

    SHA512

    38b625a673d2cc26a3f953ecede4413f2899f73ed23ccef13585cb43d2181afff2b4ea083a47d305765855d6bbed67f2e1d99fc6b99f4a932b8416ef0956cba0

  • C:\Users\Admin\AppData\Local\Temp\_Files_\TraceUnprotect.docx

    Filesize

    15KB

    MD5

    feb5e864f456ea0d3f050d365a685f06

    SHA1

    5d0d6e13bb6c88c53d6f2efab6dec085cbdf73b0

    SHA256

    d024af9341abda2d45c701ede1bf4f7c6128474f988d103426d5ba299298e54b

    SHA512

    9776ab840654ee671537827cf4d97e5be171e7765227b4eb71c98eaa572574e232c3eebfb47a5990f7ed9c7b3fb331fb47e85deb9e5849d87b5919c0e8a71d35

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oojhjmuk.m2j.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2448-15-0x00007FF8CD160000-0x00007FF8CDC21000-memory.dmp

    Filesize

    10.8MB

  • memory/2448-18-0x000001E7414A0000-0x000001E7414AA000-memory.dmp

    Filesize

    40KB

  • memory/2448-17-0x000001E7414C0000-0x000001E7414D2000-memory.dmp

    Filesize

    72KB

  • memory/2448-16-0x00007FF8CD160000-0x00007FF8CDC21000-memory.dmp

    Filesize

    10.8MB

  • memory/2448-4-0x00007FF8CD163000-0x00007FF8CD165000-memory.dmp

    Filesize

    8KB

  • memory/2448-26-0x00007FF8CD160000-0x00007FF8CDC21000-memory.dmp

    Filesize

    10.8MB

  • memory/2448-11-0x000001E740FA0000-0x000001E740FC2000-memory.dmp

    Filesize

    136KB