Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:44
Behavioral task
behavioral1
Sample
cred64.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cred64.dll
Resource
win10v2004-20241007-en
General
-
Target
cred64.dll
-
Size
1.2MB
-
MD5
d862c12a4467ebae581a8c0cc3ea2211
-
SHA1
9e797375b9b4422b2314d3e372628643ccf1c5db
-
SHA256
47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d
-
SHA512
cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c
-
SSDEEP
24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 4032 rundll32.exe 22 4032 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
pid Process 4924 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3464 netsh.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4032 rundll32.exe 4924 powershell.exe 4924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4924 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4032 wrote to memory of 3464 4032 rundll32.exe 85 PID 4032 wrote to memory of 3464 4032 rundll32.exe 85 PID 4032 wrote to memory of 4924 4032 rundll32.exe 100 PID 4032 wrote to memory of 4924 4032 rundll32.exe 100
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cred64.dll,#11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\netsh.exenetsh wlan show profiles2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\878641211696_Desktop.zip' -CompressionLevel Optimal2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD599518c85ed13fffe3c7a2409b43152e8
SHA1701096406e1e0795665de84b213be0095291f903
SHA256f0fb701a7ba1904c5e95d499c91f3ccd81fca82585bd20a2ed8ca1aa0f050540
SHA512fe28cf44b4f933c900d776f6d6d1681dfd18ab180852cf681663c60c4267a783ad3fd63f150aa9d60bf74ec8e6f481f446a5c4948f0fa683d1863444cb36f3f9
-
Filesize
17KB
MD5f2b6f1e4d50d00f54f02f8f8839e4ea9
SHA105139cd38edd8a202a56850fe64fdf4098c9af21
SHA25698ba6c2341944edabf3b0bc9ee657d967f707289c172e5b8ff54849f6f9686c9
SHA51298d2f0114d04787f861670b1350d93ab71de210767fd2324fb22eb77f38ca7f4bb24e561dc4de83d76b5f90469cdac91657e751f15db64ac7166839e746fa399
-
Filesize
13KB
MD5fef4ead5003faaca918a6e4a6c58e4ac
SHA1a41c4f109e5f1ebb1753cdb42d97e6fc3f769e43
SHA25639e6a7dcb72ccc78fbc5b7559eaa5bfbdc2a9113f55480986840be0d9985f85e
SHA512645159f0fe3a57f22ece8dad3e7de607ec2ca0880d3a1fba1eb943816fc899242be240b1d9eb51379b2588f55357fe8ea17ffd861e98c5f7fcf467fca24f3df3
-
Filesize
14KB
MD52e42229b5bc35c003d9c84eed8dbefc4
SHA1f1b1f4776c9efcfbb793d0e7767c766bdc2a0dfc
SHA2563673a4545f1da879d52b9f305c74c33e593fdffaab989b4514d065fd89f5d75f
SHA512b9aa26927def5152e68b82529bd6b2556f49cbe7ffef4ca17d0c81d4a3d04db3bd8f0fd0d306faf5008f952416124b24ea633a96afe641167a5a236df77c9ab6
-
Filesize
11KB
MD5806aaeb49a29cbdf1e74a3301ba8fd80
SHA1955e4dc6a439d0bf5f4ebd071bfbb1049bccdc0a
SHA25688f08f13316898076d5cbccd33feff83b825396690bc33c98cb55454131b36e1
SHA5126b45dd90fb46383c37c5bbfa4d8d9ba0e7a7e966a7701e7414204bc787c07b94b2abae2f367e8f2654dd5ceef7214d6a80a415fc07726e951a0290c015dc923e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82