Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe
Resource
win10v2004-20240508-en
General
-
Target
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe
-
Size
17KB
-
MD5
6a82b10f78ebf9d84dc463d26de8073b
-
SHA1
2434e984e4f6e141b66faa6f141f3c66544017ba
-
SHA256
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c
-
SHA512
4d8411806a05f6afad6847407455a64003527f66d322830e9699e218cec5d0a0f6678d66386aeffb742047444752c1ded43c3bcbe47626c1b81d5d7fbe867c6e
-
SSDEEP
384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/Dv1N+:IMAQ+BzWPEwnE+KHM2/zb+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3932 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exesvhost.exedescription pid process Token: SeDebugPrivilege 544 f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe Token: SeDebugPrivilege 3932 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exedescription pid process target process PID 544 wrote to memory of 3932 544 f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe svhost.exe PID 544 wrote to memory of 3932 544 f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe svhost.exe PID 544 wrote to memory of 3932 544 f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe"C:\Users\Admin\AppData\Local\Temp\f75cfc672dac408eece759f01a62fa34efac90634c20a593c00f526f40e9cf1c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD57191cba6eb87568449ab4c4d4db2b337
SHA10798d8d93b341db6b142002ebdac314cdac41868
SHA2564384f4de6df0b00aec02f7d2d89baf8aa786499b71ef5a66dfce6d3865af6239
SHA512cca54d549a8ec1828f465a534a92f45446f0cf4ca59bbd6d2f8cacc0622f9c1b3a4475eccf3deb77f6205d21bc42e6e686b6fffeb8abba051454ee4e6a04db25
-
Filesize
17KB
MD5bd878418fb5b66c2e0d1dd3e415839b8
SHA1536e6b3ee34785ffeeb9337bbe471c6f427df085
SHA25622faf90036e54083f1094598f100eb0499d9b8f477c2a22c0066a414f201f178
SHA5121a13ce620cdc37152bd3a58de36ce03ac4eda4535f91870251a4069ff8301efa9210ef8a78fffae616af27276ac72db57e52995c7ba87e62eef42ace80fa8dcb
-
Filesize
16KB
MD576fd02b48297edb28940bdfa3fa1c48a
SHA1bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA25607abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA51228c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0