Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:30
Static task
static1
Behavioral task
behavioral1
Sample
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
Resource
win10v2004-20240226-en
General
-
Target
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe
-
Size
17KB
-
MD5
f65c184e73a2f550bb5d60622a640a35
-
SHA1
d97f8b0fc437ae3bc8e5146fadb100ac38f0e76f
-
SHA256
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931
-
SHA512
b8290edefd50a823b86c8d2ec5de5e9aec903457445afb51dd6bc3d11b9eaf6a42c071521451fc12639ffc81437ab11736f354a8dfe3edc59c5f2d707950a334
-
SSDEEP
384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/bY:ljjAQ+BzWPEwnE+KHM2/bY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2112 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exe5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe -
Drops file in Windows directory 2 IoCs
Processes:
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exesvhost.exedescription pid process Token: SeDebugPrivilege 4964 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe Token: SeDebugPrivilege 2112 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exedescription pid process target process PID 4964 wrote to memory of 2112 4964 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe svhost.exe PID 4964 wrote to memory of 2112 4964 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe svhost.exe PID 4964 wrote to memory of 2112 4964 5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe"C:\Users\Admin\AppData\Local\Temp\5ebd3b2015863fde16b13e11c18cc68d29a8ce4d537545d4139aefbaf6d7e931.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
734KB
MD51383d227f99ce4f70d9777facbdccec5
SHA1fe3c3ba37bab827a7dd69b5b3c2c8a27705c8db7
SHA256149a7d27d3356ea8b339a30431d9c36c61f8fc4a637b7860ef8ce3a0feb7790a
SHA51256410b9a55e301155e3b414b35b5ed229eb1e4f85790c01890d7cec4f4fd86774e1d32072dec8dda0204ce3c0a36273d540d8a567689238d8226fff1ff53b038
-
C:\Users\Admin\AppData\Local\Temp\KbR196NomtQYOZZ.exeFilesize
17KB
MD5560266ff3016ba766b9bf4a3451713a1
SHA1e193682afc4e11aee78de5247f811c9c0b2daa36
SHA256832da3d8fe153ebb68d41b8f9f48e0344f35f70b06003b802e293aafe481428f
SHA51223ef6e70406a04b52f4c83f4be39d5bd3512ec36010f98580f3bda62443629a3ba42e72a236ffc0d8e8c180f0a341a36a749f28f3ea6e90d6f51fef3f9ddc7da
-
C:\Windows\svhost.exeFilesize
16KB
MD55e7c375139b7453abd0b91a8a220f8e5
SHA188a3d645fab0f4129c1e485c90b593ab60e469ae
SHA25636ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA5120805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2