Analysis

  • max time kernel
    94s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 05:44

General

  • Target

    cred64.dll

  • Size

    1.2MB

  • MD5

    d862c12a4467ebae581a8c0cc3ea2211

  • SHA1

    9e797375b9b4422b2314d3e372628643ccf1c5db

  • SHA256

    47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d

  • SHA512

    cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c

  • SSDEEP

    24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred64.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:3464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\878641211696_Desktop.zip' -CompressionLevel Optimal
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\878641211696_Desktop.zip

    Filesize

    46KB

    MD5

    99518c85ed13fffe3c7a2409b43152e8

    SHA1

    701096406e1e0795665de84b213be0095291f903

    SHA256

    f0fb701a7ba1904c5e95d499c91f3ccd81fca82585bd20a2ed8ca1aa0f050540

    SHA512

    fe28cf44b4f933c900d776f6d6d1681dfd18ab180852cf681663c60c4267a783ad3fd63f150aa9d60bf74ec8e6f481f446a5c4948f0fa683d1863444cb36f3f9

  • C:\Users\Admin\AppData\Local\Temp\_Files_\DisconnectUninstall.docx

    Filesize

    17KB

    MD5

    f2b6f1e4d50d00f54f02f8f8839e4ea9

    SHA1

    05139cd38edd8a202a56850fe64fdf4098c9af21

    SHA256

    98ba6c2341944edabf3b0bc9ee657d967f707289c172e5b8ff54849f6f9686c9

    SHA512

    98d2f0114d04787f861670b1350d93ab71de210767fd2324fb22eb77f38ca7f4bb24e561dc4de83d76b5f90469cdac91657e751f15db64ac7166839e746fa399

  • C:\Users\Admin\AppData\Local\Temp\_Files_\MergeGet.docx

    Filesize

    13KB

    MD5

    fef4ead5003faaca918a6e4a6c58e4ac

    SHA1

    a41c4f109e5f1ebb1753cdb42d97e6fc3f769e43

    SHA256

    39e6a7dcb72ccc78fbc5b7559eaa5bfbdc2a9113f55480986840be0d9985f85e

    SHA512

    645159f0fe3a57f22ece8dad3e7de607ec2ca0880d3a1fba1eb943816fc899242be240b1d9eb51379b2588f55357fe8ea17ffd861e98c5f7fcf467fca24f3df3

  • C:\Users\Admin\AppData\Local\Temp\_Files_\StartBackup.docx

    Filesize

    14KB

    MD5

    2e42229b5bc35c003d9c84eed8dbefc4

    SHA1

    f1b1f4776c9efcfbb793d0e7767c766bdc2a0dfc

    SHA256

    3673a4545f1da879d52b9f305c74c33e593fdffaab989b4514d065fd89f5d75f

    SHA512

    b9aa26927def5152e68b82529bd6b2556f49cbe7ffef4ca17d0c81d4a3d04db3bd8f0fd0d306faf5008f952416124b24ea633a96afe641167a5a236df77c9ab6

  • C:\Users\Admin\AppData\Local\Temp\_Files_\StepRename.xlsx

    Filesize

    11KB

    MD5

    806aaeb49a29cbdf1e74a3301ba8fd80

    SHA1

    955e4dc6a439d0bf5f4ebd071bfbb1049bccdc0a

    SHA256

    88f08f13316898076d5cbccd33feff83b825396690bc33c98cb55454131b36e1

    SHA512

    6b45dd90fb46383c37c5bbfa4d8d9ba0e7a7e966a7701e7414204bc787c07b94b2abae2f367e8f2654dd5ceef7214d6a80a415fc07726e951a0290c015dc923e

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wb4j5r0n.o10.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/4924-15-0x00007FFA997E0000-0x00007FFA9A2A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4924-18-0x0000022984770000-0x000002298477A000-memory.dmp

    Filesize

    40KB

  • memory/4924-17-0x0000022984C80000-0x0000022984C92000-memory.dmp

    Filesize

    72KB

  • memory/4924-16-0x00007FFA997E0000-0x00007FFA9A2A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4924-4-0x00007FFA997E3000-0x00007FFA997E5000-memory.dmp

    Filesize

    8KB

  • memory/4924-26-0x00007FFA997E0000-0x00007FFA9A2A1000-memory.dmp

    Filesize

    10.8MB

  • memory/4924-5-0x0000022984C50000-0x0000022984C72000-memory.dmp

    Filesize

    136KB