90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Size

17KB
MD5

8fa3dd62f631efdf7b9b83867ef09306
SHA1

5905132021451f9d57da6b9f2b00dd008eddd086
SHA256

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36
SHA512

be632ef685ad5c791a09fa6095b3c3f46f563f6d6e14527c872c9cfa234fdf8071251261a4fd24bef7ad0694337ab84778b7c156d02604670841a058b37777a8
SSDEEP

384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/6ZwN:ljjAQ+BzWPEwnE+KHM2/6Z0

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3796 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3796	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exe

description	ioc	process
File created	C:\Windows\svhost.exe	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2476	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
Token: SeDebugPrivilege	3796	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe

description	pid	process	target process
PID 2476 wrote to memory of 3796	2476	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe	svhost.exe
PID 2476 wrote to memory of 3796	2476	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe	svhost.exe
PID 2476 wrote to memory of 3796	2476	90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe
"C:\Users\Admin\AppData\Local\Temp\90d8aeb0f138b25335417ef99958aef0ecd4aa0231af9447637928e1c5ffdd36.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
338KB

MD5
a349a95e6d52bca570393ab764b2a03c

SHA1
c238134f67ede931884dab3090fb03e52ebb02de

SHA256
65b4c577685d9eb50df63dc8df8464816cbc45485453ac3d1bcfb23e1ee8ea22

SHA512
1f7a332d42dc9136130886715d6a98c55c2f61cbfd40ba7b5417ce6519d239c69dacdc317674f752344fcb34f009b6797086223a473427ae86ed52ae35bc8117

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmyZoiuz5jKdeIa.exe
Filesize
17KB

MD5
65f1ae8c7313697974498a3d7407929e

SHA1
1edb85bba66d053a3c7d4ebddbfe48b046d0220d

SHA256
b1c629cd8c2c81089dfeb33f59b43f9f3ea5ff027f2e61e6a39e18923d92ba24

SHA512
bc31923e07f8c5fd5a7aacb369a759449316953c012a22e7f930372aa9ff7d7aa838ed9c574e260af5d2e0ff1d2dd24dabf96e5d42123e02b8e919d8b3bd66e1

Download Submit
C:\Windows\svhost.exe
Filesize
16KB

MD5
5e7c375139b7453abd0b91a8a220f8e5

SHA1
88a3d645fab0f4129c1e485c90b593ab60e469ae

SHA256
36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

SHA512
0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

Download Submit