Analysis Overview
SHA256
e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4
Threat Level: Shows suspicious behavior
The file e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 07:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 07:33
Reported
2024-06-03 07:35
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
131s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | C:\Windows\svhost.exe |
| PID 4180 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | C:\Windows\svhost.exe |
| PID 4180 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe
"C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 0d697d4bd834b5e8061bf322746580f0 |
| SHA1 | 200c84b8b786f47b7017fbdd9604e1bdfda1913d |
| SHA256 | 6576b1ec5f6a7e2f104aa7a1855ec608ac62376d5ba2f3a0cb5354a2a6e08b8c |
| SHA512 | f77ae9ad1ae059947f2ea1ae4b19ecf6a14fda9be6450e3f8b4f790a78dc5f3b2ae498511c47034d1594f66d0e6b91a5ce6a0ea4c12b3d50baf75d614950ef37 |
C:\Users\Admin\AppData\Local\Temp\L1RUEp1xmCUJhSe.exe
| MD5 | b5b3233d5a7e4e32e504ebb8d5507985 |
| SHA1 | 4c8aff61c9443b99be06e99d49ee13155493619c |
| SHA256 | 82c9baeb58fe5967c5f0906324bc5467ba0b520723617859b20c64b51082ff0f |
| SHA512 | 23752b26021bcf85e43eda577a0aafb82166373c20e6e7877e51e4f881462d05745cc422435676dd6978eb059221d3a97b7b8f758c8e0bd87324f7b97eaf85b8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 07:33
Reported
2024-06-03 07:35
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | C:\Windows\svhost.exe |
| PID 2212 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | C:\Windows\svhost.exe |
| PID 2212 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | C:\Windows\svhost.exe |
| PID 2212 wrote to memory of 352 | N/A | C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe
"C:\Users\Admin\AppData\Local\Temp\e7060cfe5a7b1a62f5eacb207428a1b135179c9645edb900eac72da1b5ecf9f4.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\LSsfMNDywTGiznE.exe
| MD5 | 43ab5c6b8a67eee527e8c1113565fbfa |
| SHA1 | 032e1edfd5fa68347bac83a346076a8e6c724f63 |
| SHA256 | 73dd0171cd98ac61874442cead8431a5a88c755c025c5a5fdfb4928e703fbd4d |
| SHA512 | 35039901315ad4915d5e76c5c009b754315dba9d7568fdc944347046a058849e3ec8da5d4e585f9725c0dacf7542b31a9bceb0c4864837583de2cb68482c73b4 |