Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe
Resource
win10v2004-20240508-en
General
-
Target
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe
-
Size
17KB
-
MD5
a7154b65cdfde85390a60b287ccc5d0e
-
SHA1
6663e3aabeaa93fa2af8748c4ccdf4b0c248f075
-
SHA256
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2
-
SHA512
d2bbde8f754cd4b535e33019ceff80d31c9c9776e1331c5fc91c889bdcb596e11df7ac3759c91a91ee7b88eb99d884451a2868c6170d4ede8470d534e4f41cc3
-
SSDEEP
384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/cION:IMAQ+BzWPEwnE+KHM2/YN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1744 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exesvhost.exedescription pid process Token: SeDebugPrivilege 2340 12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe Token: SeDebugPrivilege 1744 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exedescription pid process target process PID 2340 wrote to memory of 1744 2340 12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe svhost.exe PID 2340 wrote to memory of 1744 2340 12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe svhost.exe PID 2340 wrote to memory of 1744 2340 12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe svhost.exe PID 2340 wrote to memory of 1744 2340 12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe"C:\Users\Admin\AppData\Local\Temp\12a849f76149daecc14e8f00ceb0d40beb98fea18387a4b9e1512fb7837066b2.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
845B
MD5b2c22c3a80071c4f2812cb6a539d1249
SHA1fe23298a01fce8da76fed5d234aa7343ff1d7b83
SHA2563c76c274baaf8780eda08f23e1c6a0e7fe17245c1f6bf5f7b8ed37c0a33b0990
SHA512dcc4d38a96095604e7f5b0ddc9ab6a8bb219ffc5636bc83a416fab59fd4d6612624d3f8c653da4271b3486641446eb9ef9e8a782ab7dab8f871589692f77784a
-
Filesize
17KB
MD5996e1594d08809abfa3a5f9bb37a350b
SHA1b89ce3b098efa47c5f5c6b73aebef14f3a7c6f2c
SHA256ed61027bbd29bfd30e911c233a1b1b41f26d2e609d19ea33dfb3ad9cbd52cd48
SHA512f9aa0479792b46927b71330a1185c9257ce4ca99ae627f38c3705f8f15caaea4705a19fdc4f8776a93f924a5a080e4ce2f07c8edfb4c319c43eb47b7e7659faf
-
Filesize
16KB
MD576fd02b48297edb28940bdfa3fa1c48a
SHA1bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA25607abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA51228c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0