5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:30

Target

5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
Size

17KB
MD5

f65c184e73a2f550bb5d60622a640a35
SHA1

d97f8b0fc437ae3bc8e5146fadb100ac38f0e76f
SHA256

5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931
SHA512

b8290edefd50a823b86c8d2ec5de5e9aec903457445afb51dd6bc3d11b9eaf6a42c071521451fc12639ffc81437ab11736f354a8dfe3edc59c5f2d707950a334
SSDEEP

384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/bY:ljjAQ+BzWPEwnE+KHM2/bY

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2112 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2112	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

svhost.exe5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe

Drops file in Windows directory 2 IoCs

Processes:

5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exesvhost.exe

description ioc process

File created C:\Windows\svhost.exe 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
File created C:\Windows\svhost.exe svhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exesvhost.exe

description pid process

Token: SeDebugPrivilege 4964 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
Token: SeDebugPrivilege 2112 svhost.exe

description	ioc	process
File created	C:\Windows\svhost.exe	5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
File created	C:\Windows\svhost.exe	svhost.exe

description	pid	process
Token: SeDebugPrivilege	4964	5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
Token: SeDebugPrivilege	2112	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe

description	pid	process	target process
PID 4964 wrote to memory of 2112	4964	5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe	svhost.exe
PID 4964 wrote to memory of 2112	4964	5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe	svhost.exe
PID 4964 wrote to memory of 2112	4964	5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe	svhost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
734KB

MD5
1383d227f99ce4f70d9777facbdccec5

SHA1
fe3c3ba37bab827a7dd69b5b3c2c8a27705c8db7

SHA256
149a7d27d3356ea8b339a30431d9c36c61f8fc4a637b7860ef8ce3a0feb7790a

SHA512
56410b9a55e301155e3b414b35b5ed229eb1e4f85790c01890d7cec4f4fd86774e1d32072dec8dda0204ce3c0a36273d540d8a567689238d8226fff1ff53b038

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbR196NomtQYOZZ.exe
Filesize
17KB

MD5
560266ff3016ba766b9bf4a3451713a1

SHA1
e193682afc4e11aee78de5247f811c9c0b2daa36

SHA256
832da3d8fe153ebb68d41b8f9f48e0344f35f70b06003b802e293aafe481428f

SHA512
23ef6e70406a04b52f4c83f4be39d5bd3512ec36010f98580f3bda62443629a3ba42e72a236ffc0d8e8c180f0a341a36a749f28f3ea6e90d6f51fef3f9ddc7da

Download Submit
C:\Windows\svhost.exe
Filesize
16KB

MD5
5e7c375139b7453abd0b91a8a220f8e5

SHA1
88a3d645fab0f4129c1e485c90b593ab60e469ae

SHA256
36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

SHA512
0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

Download Submit