Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:30
Static task
static1
Behavioral task
behavioral1
Sample
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
Resource
win10v2004-20240226-en
General
-
Target
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
-
Size
17KB
-
MD5
f65c184e73a2f550bb5d60622a640a35
-
SHA1
d97f8b0fc437ae3bc8e5146fadb100ac38f0e76f
-
SHA256
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931
-
SHA512
b8290edefd50a823b86c8d2ec5de5e9aec903457445afb51dd6bc3d11b9eaf6a42c071521451fc12639ffc81437ab11736f354a8dfe3edc59c5f2d707950a334
-
SSDEEP
384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/bY:ljjAQ+BzWPEwnE+KHM2/bY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3012 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exe5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe -
Drops file in Windows directory 2 IoCs
Processes:
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exesvhost.exedescription pid process Token: SeDebugPrivilege 2956 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe Token: SeDebugPrivilege 3012 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exedescription pid process target process PID 2956 wrote to memory of 3012 2956 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe svhost.exe PID 2956 wrote to memory of 3012 2956 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe svhost.exe PID 2956 wrote to memory of 3012 2956 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe svhost.exe PID 2956 wrote to memory of 3012 2956 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe"C:\Users\Admin\AppData\Local\Temp\5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C8aWSQbOaWzBQGm.exeFilesize
17KB
MD5fcefccbb6b35bab3d4e8c190764fcb9c
SHA175f2457e009abb6d4df4dc01bb957f221eccded3
SHA25644cb3388062bfa8ed312624ae54066c02de1940c4d4c656b5a1a498ce4dc52d4
SHA51282b76eeaa41ef2004b309d55c9d99d8b4f26d311d8a559f80c5771b30f726427134f8d84609754448b0d0e107a07725a79fe7485a6e75e56de0605e0c81715d0
-
C:\Windows\svhost.exeFilesize
16KB
MD55e7c375139b7453abd0b91a8a220f8e5
SHA188a3d645fab0f4129c1e485c90b593ab60e469ae
SHA25636ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA5120805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2