Analysis
-
max time kernel
132s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Resource
win10v2004-20240508-en
General
-
Target
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
-
Size
17KB
-
MD5
8fa3dd62f631efdf7b9b83867ef09306
-
SHA1
5905132021451f9d57da6b9f2b00dd008eddd086
-
SHA256
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36
-
SHA512
be632ef685ad5c791a09fa6095b3c3f46f563f6d6e14527c872c9cfa234fdf8071251261a4fd24bef7ad0694337ab84778b7c156d02604670841a058b37777a8
-
SSDEEP
384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/6ZwN:ljjAQ+BzWPEwnE+KHM2/6Z0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3796 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exedescription pid process Token: SeDebugPrivilege 2476 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe Token: SeDebugPrivilege 3796 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exedescription pid process target process PID 2476 wrote to memory of 3796 2476 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe svhost.exe PID 2476 wrote to memory of 3796 2476 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe svhost.exe PID 2476 wrote to memory of 3796 2476 90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe"C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
338KB
MD5a349a95e6d52bca570393ab764b2a03c
SHA1c238134f67ede931884dab3090fb03e52ebb02de
SHA25665b4c577685d9eb50df63dc8df8464816cbc45485453ac3d1bcfb23e1ee8ea22
SHA5121f7a332d42dc9136130886715d6a98c55c2f61cbfd40ba7b5417ce6519d239c69dacdc317674f752344fcb34f009b6797086223a473427ae86ed52ae35bc8117
-
C:\Users\Admin\AppData\Local\Temp\nmyZoiuz5jKdeIa.exeFilesize
17KB
MD565f1ae8c7313697974498a3d7407929e
SHA11edb85bba66d053a3c7d4ebddbfe48b046d0220d
SHA256b1c629cd8c2c81089dfeb33f59b43f9f3ea5ff027f2e61e6a39e18923d92ba24
SHA512bc31923e07f8c5fd5a7aacb369a759449316953c012a22e7f930372aa9ff7d7aa838ed9c574e260af5d2e0ff1d2dd24dabf96e5d42123e02b8e919d8b3bd66e1
-
C:\Windows\svhost.exeFilesize
16KB
MD55e7c375139b7453abd0b91a8a220f8e5
SHA188a3d645fab0f4129c1e485c90b593ab60e469ae
SHA25636ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA5120805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2