963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe
Size

17KB
MD5

4aac6eb7cc4e1773555170e98598e3eb
SHA1

edce9398c75bc2ba834dc7e11ecfc791e3b2b667
SHA256

963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9
SHA512

b9c3a6d7d4715923efaefc9e4b5b6ee806f20681bea9efa81fa8d30849fd4a9dcd549b63ebb73fa5f4d873020ecb1c932ded61e1cfe9483f8ef78554b2a94274
SSDEEP

384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/VgT:IMAQ+BzWPEwnE+KHM2/VgT

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
764	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3264	963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe
Token: SeDebugPrivilege	764	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 764	3264	963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe	82
PID 3264 wrote to memory of 764	3264	963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe	82
PID 3264 wrote to memory of 764	3264	963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe	82

C:\Users\Admin\AppData\Local\Temp\963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe
"C:\Users\Admin\AppData\Local\Temp\963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
339KB

MD5
a1df177813a2fd7890726b19c928beb6

SHA1
cca9ae2a8a3505d30572554a73b7e722e71a8716

SHA256
58b0857a09d5d43249f5b77f3880e633db42a8396a8c1b608b9594d7c7f0ed8b

SHA512
9b57705c5079c301d7b7240f0e09c325cb477b0580a3f2d302d970db6b97f927dac34aa21dbc0fb42292aa0dd789e41110ae9e7687b7c564b702793b1a7356f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiSeAXGK8s5PiZv.exe

Filesize
17KB

MD5
b95cb0b2eab3dc7a9d282e5de7210554

SHA1
6c5640e82f450dfbb6628a2185c0f89904cfbc51

SHA256
6b924e106cfed2e1950b65b20e31afa241c9cee39b2ef6033e04cb6267f7e04d

SHA512
5cd08b52304e7de967b209f34a86867965dee5f6d63dd31324d194ba648a8eafb83d44b88409811287b5c047b4e46a9c5dc82136c4deadcd17b2845cdcd23d06

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
76fd02b48297edb28940bdfa3fa1c48a

SHA1
bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

SHA256
07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

SHA512
28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads