Analysis
-
max time kernel
42s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 03:41
Behavioral task
behavioral1
Sample
47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d.dll
Resource
win10v2004-20241007-en
General
-
Target
47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d.dll
-
Size
1.2MB
-
MD5
d862c12a4467ebae581a8c0cc3ea2211
-
SHA1
9e797375b9b4422b2314d3e372628643ccf1c5db
-
SHA256
47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d
-
SHA512
cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c
-
SSDEEP
24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2648 rundll32.exe 5 2648 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
pid Process 1664 powershell.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2684 netsh.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2648 rundll32.exe 2648 rundll32.exe 2648 rundll32.exe 2648 rundll32.exe 2648 rundll32.exe 2648 rundll32.exe 1664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1664 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 2684 2648 rundll32.exe 30 PID 2648 wrote to memory of 1664 2648 rundll32.exe 33 PID 2648 wrote to memory of 1664 2648 rundll32.exe 33 PID 2648 wrote to memory of 1664 2648 rundll32.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d.dll,#11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\netsh.exenetsh wlan show profiles2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\846800975391_Desktop.zip' -CompressionLevel Optimal2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-