Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Resource
win10v2004-20240508-en
General
-
Target
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
-
Size
17KB
-
MD5
8fa3dd62f631efdf7b9b83867ef09306
-
SHA1
5905132021451f9d57da6b9f2b00dd008eddd086
-
SHA256
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36
-
SHA512
be632ef685ad5c791a09fa6095b3c3f46f563f6d6e14527c872c9cfa234fdf8071251261a4fd24bef7ad0694337ab84778b7c156d02604670841a058b37777a8
-
SSDEEP
384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/6ZwN:ljjAQ+BzWPEwnE+KHM2/6Z0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2656 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exedescription pid process Token: SeDebugPrivilege 2924 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe Token: SeDebugPrivilege 2656 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exedescription pid process target process PID 2924 wrote to memory of 2656 2924 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe svhost.exe PID 2924 wrote to memory of 2656 2924 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe svhost.exe PID 2924 wrote to memory of 2656 2924 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe svhost.exe PID 2924 wrote to memory of 2656 2924 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe"C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eJHpsL4b9q9jp8M.exeFilesize
17KB
MD5ba2926812108d61607da442a850a8b84
SHA1a358157ac94f81ec6da7bb199950353bb2f020bf
SHA256fb63a86814b003f56d219e12f3badd9f401f0afb2e4729373e8fc3679e7666f6
SHA51218e11a5965170e1dea24af6075697673d642dfd515ce8260ae1d605b807f00812a8656f9ba10a5cdf97db79e9fc755b635085c818e171c2cd7891e289302379a
-
C:\Windows\svhost.exeFilesize
16KB
MD55e7c375139b7453abd0b91a8a220f8e5
SHA188a3d645fab0f4129c1e485c90b593ab60e469ae
SHA25636ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA5120805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2