47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d

Analysis

max time kernel
94s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d.dll
Size

1.2MB
MD5

d862c12a4467ebae581a8c0cc3ea2211
SHA1

9e797375b9b4422b2314d3e372628643ccf1c5db
SHA256

47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d
SHA512

cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c
SSDEEP

24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre

Score

8^/10

credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	3240	rundll32.exe
19	3240	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
212	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2468	netsh.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
212	powershell.exe
212	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2468	3240	rundll32.exe	82
PID 3240 wrote to memory of 2468	3240	rundll32.exe	82
PID 3240 wrote to memory of 212	3240	rundll32.exe	91
PID 3240 wrote to memory of 212	3240	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\442511616637_Desktop.zip' -CompressionLevel Optimal
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\442511616637_Desktop.zip

Filesize
92KB

MD5
3ea037ab07d0f378a491793e8f4fb76f

SHA1
a7d0d66ca14bbdb9f81127397ef6ac304edc7561

SHA256
e57f62588fec8fe7db966f5389b58cc2ccb498925b802d40fd538a277945687e

SHA512
c5e1e3ef40c25eb2872a2d4b095c79aedbc18f94926f2ff96135ef98e0ff292156dfbca73a4612caf9a7b4ad10fa3ecbc5e18154ca03975b37278ab199bc0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\AddCompress.docx

Filesize
13KB

MD5
9858078a0b9a00852629f81d55d50e31

SHA1
030df2436824d1234ea834389afeb0b79b3264a6

SHA256
6662e317ffd6ce3cbec4a268d812b0a20c3fa87215674735ba61d260501cf492

SHA512
f053fe5c707ab1648413801f0f5e38c6be9bdf894c3744ee8724a2ede747341ab2b1ac9f7f9558f1abb691e959d271b46ed226802e3bbc9e42a682198721ec38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\DebugOpen.xlsx

Filesize
15KB

MD5
bcfdf3a2c902a0a26dbf3386bea24c9b

SHA1
7fdfc50d3d697badb2fa3bdd8bc483387b845387

SHA256
5992b029ab3ce2cf41225eeb9045078085331aacf2bc7546e62d7c47426d0ae4

SHA512
1b5a944883110977f190df148e4368f90e052acd5cd2582f9425c3edc3ad7d26b4fabc55bbe2d59f3862bdf54d09e9d76597412ac538a5c8092d9d139abedf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\FindWrite.xlsx

Filesize
9KB

MD5
987f7e3d25b9c12c2c3403f7e0fd5c1b

SHA1
e14459d5e37c0b483bfc9dd7940fafeb27d537d4

SHA256
5fd2d1217e165e0c2a2d2315a54aa4a6190c3f93b877314abddc3f69b00b3795

SHA512
3a3354c11e72616c493905a328fed16236e00bd8f05e5de29d97915c20e587ab152dfe9783f5afd655e6921588cae4c0c1bf9c142334e9cdf39a51d2aba4d048

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\LockEnter.xlsx

Filesize
10KB

MD5
ab3d87c83f6df408e811720dda58effd

SHA1
7bada66bc38004a873cfd05c7ec882e324555580

SHA256
979914eed123601fcbc69de6da444a197d4c9b8b0b0ed500d268c7922e7feea4

SHA512
74fb22d60be4ccac5c57da57147b2bde9ad68d8c1f6128dd7dea606db27b9d2d56e2b22bbc5d2dc2bbd58086c9b11f495239f86abcbd66dd041de4c6e87e3f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\PushLimit.docx

Filesize
16KB

MD5
e619f5a4f559e144e5e271f8207e1f85

SHA1
5f04915b0c83e7d1b5f164cd4c2d830488adc7d2

SHA256
36d8d0ac08bd4e1d93c6dbe734f7376478a70b7910ca81a2747ba51e1aa3b9b2

SHA512
c87c70b7a7074df5f197816ac3cb6ffdde5865ccb20ee158f186ad3090922bd41f3df3c4862b58ad176d5074964ed80b4055ec4434d5862a6db6b92ffcdf44bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ReadRevoke.xlsx

Filesize
14KB

MD5
559c56d7fec0bdda1944c05fc1d0185f

SHA1
0229e4e2a676ddc623b0d721d1ecab4bf82dd762

SHA256
e741e8888c968fd33d684f5c6e1bfd390aff9afec382c3aa6eba77f40a871689

SHA512
7bb5e021061828c1cc8931c1e6757c5352540cbe3bae2bd53c209ac7ea5a02c131b49793b3c795d0d07d75e18f3a81e4fd7757fb605f0dd9a2f85b955da684f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\SendPush.docx

Filesize
18KB

MD5
741f3ae5cc8d46cdc989c3ae4c8b8377

SHA1
3113f66f3bd92e1a280f60bc7869242dd554c978

SHA256
fae726f6c2d1449ab22a9293772e40af86df9e260533aa818dc309c4f7830692

SHA512
4f7da1fa3a431f849b4fc1d9ef558cf20a59b703272c1b049ae29bb63bf1d80e0b42baebe581ab59c5e8655e9927c3c010cb140b36b8b282c71d418adae541dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\TraceUpdate.xlsx

Filesize
15KB

MD5
e2dd242f0488cca29b0e63dcd76a4c7e

SHA1
a2091ed2d5c66ce4f40651c3382092577f577bb7

SHA256
a6f08ccb391a0f11c4100164b9bbd8c107f86eb7845535eae20f62ffb54828d9

SHA512
7524b7e1ea2b3ecf35d1f49af46d76d3b4e60afd41aa44474b84cbdebff083d15808a167bc675b5d8bb0442e98aff4de8740111b7f3ce6cccec3f1dbe9c5e532

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0ksb0lj.03t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/212-22-0x00000215C0010000-0x00000215C001A000-memory.dmp

Filesize
40KB

Download
memory/212-21-0x00000215C0020000-0x00000215C0032000-memory.dmp

Filesize
72KB

Download
memory/212-20-0x00007FFB38DD0000-0x00007FFB39891000-memory.dmp

Filesize
10.8MB

Download
memory/212-19-0x00007FFB38DD0000-0x00007FFB39891000-memory.dmp

Filesize
10.8MB

Download
memory/212-8-0x00007FFB38DD3000-0x00007FFB38DD5000-memory.dmp

Filesize
8KB

Download
memory/212-34-0x00007FFB38DD0000-0x00007FFB39891000-memory.dmp

Filesize
10.8MB

Download
memory/212-14-0x00000215BDE10000-0x00000215BDE32000-memory.dmp

Filesize
136KB

Download