Malware Analysis Report

2024-11-30 06:51

Sample ID 240603-jdpzkshd37
Target e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4
SHA256 e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4

Threat Level: Shows suspicious behavior

The file e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:33

Reported

2024-06-03 07:35

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe

"C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 0d697d4bd834b5e8061bf322746580f0
SHA1 200c84b8b786f47b7017fbdd9604e1bdfda1913d
SHA256 6576b1ec5f6a7e2f104aa7a1855ec608ac62376d5ba2f3a0cb5354a2a6e08b8c
SHA512 f77ae9ad1ae059947f2ea1ae4b19ecf6a14fda9be6450e3f8b4f790a78dc5f3b2ae498511c47034d1594f66d0e6b91a5ce6a0ea4c12b3d50baf75d614950ef37

C:\Users\Admin\AppData\Local\Temp\L1RUEp1xmCUJhSe.exe

MD5 b5b3233d5a7e4e32e504ebb8d5507985
SHA1 4c8aff61c9443b99be06e99d49ee13155493619c
SHA256 82c9baeb58fe5967c5f0906324bc5467ba0b520723617859b20c64b51082ff0f
SHA512 23752b26021bcf85e43eda577a0aafb82166373c20e6e7877e51e4f881462d05745cc422435676dd6978eb059221d3a97b7b8f758c8e0bd87324f7b97eaf85b8

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:33

Reported

2024-06-03 07:35

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe

"C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\LSsfMNDywTGiznE.exe

MD5 43ab5c6b8a67eee527e8c1113565fbfa
SHA1 032e1edfd5fa68347bac83a346076a8e6c724f63
SHA256 73dd0171cd98ac61874442cead8431a5a88c755c025c5a5fdfb4928e703fbd4d
SHA512 35039901315ad4915d5e76c5c009b754315dba9d7568fdc944347046a058849e3ec8da5d4e585f9725c0dacf7542b31a9bceb0c4864837583de2cb68482c73b4