Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:29

General

  • Target

    f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe

  • Size

    17KB

  • MD5

    6a82b10f78ebf9d84dc463d26de8073b

  • SHA1

    2434e984e4f6e141b66faa6f141f3c66544017ba

  • SHA256

    f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c

  • SHA512

    4d8411806a05f6afad6847407455a64003527f66d322830e9699e218cec5d0a0f6678d66386aeffb742047444752c1ded43c3bcbe47626c1b81d5d7fbe867c6e

  • SSDEEP

    384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/Dv1N+:IMAQ+BzWPEwnE+KHM2/zb+

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe
    "C:\Users\Admin\AppData\Local\Temp\f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    338KB

    MD5

    7191cba6eb87568449ab4c4d4db2b337

    SHA1

    0798d8d93b341db6b142002ebdac314cdac41868

    SHA256

    4384f4de6df0b00aec02f7d2d89baf8aa786499b71ef5a66dfce6d3865af6239

    SHA512

    cca54d549a8ec1828f465a534a92f45446f0cf4ca59bbd6d2f8cacc0622f9c1b3a4475eccf3deb77f6205d21bc42e6e686b6fffeb8abba051454ee4e6a04db25

  • C:\Users\Admin\AppData\Local\Temp\3lKWvKf4j0bnizW.exe

    Filesize

    17KB

    MD5

    bd878418fb5b66c2e0d1dd3e415839b8

    SHA1

    536e6b3ee34785ffeeb9337bbe471c6f427df085

    SHA256

    22faf90036e54083f1094598f100eb0499d9b8f477c2a22c0066a414f201f178

    SHA512

    1a13ce620cdc37152bd3a58de36ce03ac4eda4535f91870251a4069ff8301efa9210ef8a78fffae616af27276ac72db57e52995c7ba87e62eef42ace80fa8dcb

  • C:\Windows\svhost.exe

    Filesize

    16KB

    MD5

    76fd02b48297edb28940bdfa3fa1c48a

    SHA1

    bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

    SHA256

    07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

    SHA512

    28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0