5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf

Analysis

max time kernel
118s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe
Size

16KB
MD5

68f579185495d48fd281dbd792d41890
SHA1

c8f93b03af2333d7b7e59bd8ce38db3a30e3fad5
SHA256

5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf
SHA512

c982c785a051eb0fb6320fecdb08ad1618658f6ba0922ecdb0da4637e6d7499af3934dbf380cdad39352c15dc8b2ec16f097f07470f5d1bed8cc4fc1b2758e18
SSDEEP

192:LFBkqyIfgm64++u6gzYMzZ0dqsEq65+O0I5L0pJ/WDvd0EtITbKH62RTs2/fXSb:LFfoQ+DfYMzKdPEsOuubuEG3KHM2/qb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1244	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	svhost.exe
File created	C:\Windows\svhost.exe	5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe
Token: SeDebugPrivilege	1244	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1244	2016	5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe	28
PID 2016 wrote to memory of 1244	2016	5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe	28
PID 2016 wrote to memory of 1244	2016	5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe	28
PID 2016 wrote to memory of 1244	2016	5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe	28

C:\Users\Admin\AppData\Local\Temp\5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe
"C:\Users\Admin\AppData\Local\Temp\5548e3f2fc8fd47a3dd27af6cecd5d99d8272d2f9b557cdd860361ef66f13dcf.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oCIwV5XWxrDHtxa.exe

Filesize
283B

MD5
1e1d2461ed620e12bcdfea09ef053c22

SHA1
a1ed4f8109a264744ad264e49cb0a11e2177be5a

SHA256
156f5c76c51ce8294da5a48ce696fc0205de3cd34c4754cf852b6910d5efc6e8

SHA512
ca12651ce32858668b52d9d193c744918fd2d033c34b06877d64e1dd4d37cf221eec2477e03ba9f23af1dc1de64fcc7cf4380818dd0f06fb5f121915f894e949

Download Submit
C:\Users\Admin\AppData\Local\Temp\oCIwV5XWxrDHtxa.exe

Filesize
16KB

MD5
4b28be21f6b1193fe4bda4938e5f7561

SHA1
79f39ab67bed8e599ebb7a054d3b27f4808a67cf

SHA256
35e247a4e1a6ebdd0bee23a56c66cf1b832d8afe3b9daae365ee28af8a47003a

SHA512
c6cf0c42d650d890f3ff99d855fc644b3406c3071c5e82f64b527c374073afadf909c10c21e067cefb36a5d4b52a3d6f86a1f89b7f306aeb4b458b6f542cb2a7

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
6e8ac5f0331733e06155dc3f934eb5c0

SHA1
dcf85fcfcdb158cd2a6f06a3628340ae3ad2628f

SHA256
0389d9b1a879af51a85461edc95d86328fdd35020059e77b0f1b4171c7bc6a71

SHA512
556b106f066245c151e6da8e56bea928141c5cce7563715e4eb4bac98358d9623bda316d86f2ad972ff8bedff3b7309d3f1e04dcf93ec0227efd978120222b0d

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
6e8ac5f0331733e06155dc3f934eb5c0

SHA1
dcf85fcfcdb158cd2a6f06a3628340ae3ad2628f

SHA256
0389d9b1a879af51a85461edc95d86328fdd35020059e77b0f1b4171c7bc6a71

SHA512
556b106f066245c151e6da8e56bea928141c5cce7563715e4eb4bac98358d9623bda316d86f2ad972ff8bedff3b7309d3f1e04dcf93ec0227efd978120222b0d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads