90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Size

17KB
MD5

8fa3dd62f631efdf7b9b83867ef09306
SHA1

5905132021451f9d57da6b9f2b00dd008eddd086
SHA256

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36
SHA512

be632ef685ad5c791a09fa6095b3c3f46f563f6d6e14527c872c9cfa234fdf8071251261a4fd24bef7ad0694337ab84778b7c156d02604670841a058b37777a8
SSDEEP

384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/6ZwN:ljjAQ+BzWPEwnE+KHM2/6Z0

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2656 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2656	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exe

description	ioc	process
File created	C:\Windows\svhost.exe	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2924	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Token: SeDebugPrivilege	2656	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe

description	pid	process	target process
PID 2924 wrote to memory of 2656	2924	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe	svhost.exe
PID 2924 wrote to memory of 2656	2924	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe	svhost.exe
PID 2924 wrote to memory of 2656	2924	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe	svhost.exe
PID 2924 wrote to memory of 2656	2924	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
"C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eJHpsL4b9q9jp8M.exe
Filesize
17KB

MD5
ba2926812108d61607da442a850a8b84

SHA1
a358157ac94f81ec6da7bb199950353bb2f020bf

SHA256
fb63a86814b003f56d219e12f3badd9f401f0afb2e4729373e8fc3679e7666f6

SHA512
18e11a5965170e1dea24af6075697673d642dfd515ce8260ae1d605b807f00812a8656f9ba10a5cdf97db79e9fc755b635085c818e171c2cd7891e289302379a

Download Submit
C:\Windows\svhost.exe
Filesize
16KB

MD5
5e7c375139b7453abd0b91a8a220f8e5

SHA1
88a3d645fab0f4129c1e485c90b593ab60e469ae

SHA256
36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

SHA512
0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

Download Submit