Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2024 06:01
Static task
static1
Behavioral task
behavioral1
Sample
55ad5511c274efcd7a9dd6c30099fdcb.exe
Resource
win7-20231129-en
General
-
Target
55ad5511c274efcd7a9dd6c30099fdcb.exe
-
Size
7.6MB
-
MD5
55ad5511c274efcd7a9dd6c30099fdcb
-
SHA1
5f6dab14077c666d8038d7ec1ecd5d45172408bb
-
SHA256
bfe6020f35c465bf683a53a3be8e59ea595e6a2a8b5403f4b1787fabeb2b4b56
-
SHA512
ed011d25d0672b80096d2691bdff4adc41cb19817761fedf277d1f91df7b0aebecfe97c11da52b77bcc36e040c12aff1328db414c4c3577f4a6ab82ff2f26fb9
-
SSDEEP
196608:tvcG0tb8P1EYNLGwSzqJ4dUEEyFKKYA/YeVI:SG8bg1Ecwn5ElURVI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4564 servbrow.exe 1428 servbrow.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] servbrow.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\info_48[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT servbrow.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\background_gradient[1] servbrow.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\httpErrorPagesScripts[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\httpErrorPagesScripts[1] servbrow.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\info_48[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE servbrow.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1] servbrow.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\bullet[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\bullet[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\background_gradient[1] servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies servbrow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 servbrow.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1] servbrow.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\7-Zip\Ws2Help.dll 55ad5511c274efcd7a9dd6c30099fdcb.exe File opened for modification C:\Program Files\7-Zip\Ws2Help.dll 55ad5511c274efcd7a9dd6c30099fdcb.exe File created C:\Program Files\VideoLAN\VLC\Ws2Help.dll 55ad5511c274efcd7a9dd6c30099fdcb.exe File opened for modification C:\Program Files\VideoLAN\VLC\Ws2Help.dll 55ad5511c274efcd7a9dd6c30099fdcb.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll 55ad5511c274efcd7a9dd6c30099fdcb.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll 55ad5511c274efcd7a9dd6c30099fdcb.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\servbrow.exe 55ad5511c274efcd7a9dd6c30099fdcb.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix servbrow.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" servbrow.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" servbrow.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" servbrow.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" servbrow.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTcbPrivilege 4564 servbrow.exe Token: SeChangeNotifyPrivilege 4564 servbrow.exe Token: SeIncreaseQuotaPrivilege 4564 servbrow.exe Token: SeAssignPrimaryTokenPrivilege 4564 servbrow.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4140 55ad5511c274efcd7a9dd6c30099fdcb.exe 4564 servbrow.exe 1428 servbrow.exe 1428 servbrow.exe 1428 servbrow.exe 1428 servbrow.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4564 wrote to memory of 1428 4564 servbrow.exe 102 PID 4564 wrote to memory of 1428 4564 servbrow.exe 102 PID 4564 wrote to memory of 1428 4564 servbrow.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\55ad5511c274efcd7a9dd6c30099fdcb.exe"C:\Users\Admin\AppData\Local\Temp\55ad5511c274efcd7a9dd6c30099fdcb.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4140
-
C:\Windows\servbrow.exe"C:\Windows\servbrow.exe" /Service1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\servbrow.exe"C:\Windows\servbrow.exe" /Popup2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD528491017ac36f17509a2a209da99efda
SHA112c9a27204b91d7abe290651d8412b3ce9959f29
SHA2563a534fffab40ac4d00303b1ba65a5aa6cbb4b5f8b2321a49d4b36ee25e39ff4b
SHA512fa3e1a717d24b549b0dd26cbdbf9074296bc209935fc1bfb228dd76e0cb7f4540d6ab88a0ff9a0324eb0809815d8fa6978e70f246067be147ca610f4c4f6cd06
-
Filesize
2.7MB
MD51c0fd8f315c56ed784e3661decaa4f95
SHA14d47fd2185ec6705c8889107259940c18dcea27d
SHA2563ba48b7fd7532d00d8f76114dcefb377b4d2bbe85f13ec064497e0e83b1b6c73
SHA512e6f6bfccdba48609900c141dc07f37fc6d5bb1b3834a52c207eb3b01e6250c2bd41878cd9cd303057c4d47cebfab5cfa282db581bb701d0a49b072b63ef2d17e
-
Filesize
2.6MB
MD5ae0b12f04f64e1849747ec6fe350ac77
SHA191c68a17922169a902fec34c66d7fbc56c511bfc
SHA2569b8862ab4c95ac2e245b923e0144f465c5dec3e98a42af2887caf22c6442b046
SHA512c46a7537cf74172e90d394632eec9c29b0711f5e42a1d46b53733bd886037ae2e6637e91c1a511cf620599c2644a42c8eb5d6a62319f0cbce558be4e91f30016
-
Filesize
4.9MB
MD52f7cc6613ab44cc8f430a82a499be23f
SHA13465692df4a8369ef896f08380dcf3b580cf0cc6
SHA2569ffd57aeec3af9e5f4a17628df4e74706bdb12d4629d1bef15c4e519425aef43
SHA512c0cbaa36b71e53c399d7058de010369f2d06b927157280062a66b8fc267b51cfe4d652ce4d056d1c67ff79fc37bc097b8794547d9b3264f72a61d74551fa23ff