Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:37
Behavioral task
behavioral1
Sample
cred64.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cred64.dll
Resource
win10v2004-20241007-en
General
-
Target
cred64.dll
-
Size
1.2MB
-
MD5
d862c12a4467ebae581a8c0cc3ea2211
-
SHA1
9e797375b9b4422b2314d3e372628643ccf1c5db
-
SHA256
47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d
-
SHA512
cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c
-
SSDEEP
24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 688 rundll32.exe 20 688 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
pid Process 2448 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1396 netsh.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 2448 powershell.exe 2448 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2448 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 688 wrote to memory of 1396 688 rundll32.exe 82 PID 688 wrote to memory of 1396 688 rundll32.exe 82 PID 688 wrote to memory of 2448 688 rundll32.exe 91 PID 688 wrote to memory of 2448 688 rundll32.exe 91
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cred64.dll,#11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\system32\netsh.exenetsh wlan show profiles2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\089630652159_Desktop.zip' -CompressionLevel Optimal2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD56e906189903cb52c1ae65d23a5519d5a
SHA19a4389efab359a9ca07520d242500c8ae43fb359
SHA25690b218af0466d742e11de9a7d86060cebec7fb022d5c144d6fcacde4f65f3cb6
SHA5128f43c6265aa9c7cbe500e13755e3300a3172a027489e8c1fbfb47483a1195d9f009630c9bcaf481dc7e36010a7c1c8f0aa9d79e3b428f6eb3fa4fcd841fcb100
-
Filesize
13KB
MD50d1b70fbbce81a2ade65547137b6ad78
SHA1d6f26f9f6368705d3455303f112744fda4c343a6
SHA256332a288cdbaeceaf1dea244e7b671f7af0bd2d9705a5c1068954596700233342
SHA51236c2eac78d52305c475a69c6d13d60ad2f903e6d9903d207d0998cac141ac70d7d762d9488bd44231e8076f601f3393fa8ad9e2f98aed08c2a8e98152da87abe
-
Filesize
14KB
MD5b34eb42243a83ef8847574680c15e30b
SHA17862cd0ffaeb4ebe91f2752043d752a7ab18d470
SHA256b08cb40b87301d92da8096bbad9b185962fd77f56c89fb5ddd59c63143306ad8
SHA5125432fa065376cbe2092d11816cefe39d8e2bd41542daa2ce4ec9a62f0bd6fc7e2664b1d550dab531dc037e2d093347aaed5a3d711c94eb65e453a6f7c193812d
-
Filesize
11KB
MD5f7b7516669f775dd6306cd2880b3f899
SHA1a055e8224af1b02fb34f5dbf21e826b60c3fa475
SHA2568bfe40011585ec8cd103a10b8d7cf33fd82d1989427dc8fbfff0533f18d2ea4d
SHA51238b625a673d2cc26a3f953ecede4413f2899f73ed23ccef13585cb43d2181afff2b4ea083a47d305765855d6bbed67f2e1d99fc6b99f4a932b8416ef0956cba0
-
Filesize
15KB
MD5feb5e864f456ea0d3f050d365a685f06
SHA15d0d6e13bb6c88c53d6f2efab6dec085cbdf73b0
SHA256d024af9341abda2d45c701ede1bf4f7c6128474f988d103426d5ba299298e54b
SHA5129776ab840654ee671537827cf4d97e5be171e7765227b4eb71c98eaa572574e232c3eebfb47a5990f7ed9c7b3fb331fb47e85deb9e5849d87b5919c0e8a71d35
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82