d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe
Size

17KB
MD5

5e85098f6c51b95bce6e43034c9cfeee
SHA1

3795421fb2d194b5efabc725547abe41de41369e
SHA256

d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f
SHA512

32e681990358b3f9d17ce36c9dc0a22d4b0260f9104cc62d0a4cb1b5ade41f56bd3cbc1561ae2fd740db42a7b0095c0d5edbaa03d3a961bb948e9dae6e5d0485
SSDEEP

384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/wo:ljjAQ+BzWPEwnE+KHM2/V

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe
Token: SeDebugPrivilege	3064	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3064	1728	d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe	28
PID 1728 wrote to memory of 3064	1728	d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe	28
PID 1728 wrote to memory of 3064	1728	d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe	28
PID 1728 wrote to memory of 3064	1728	d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe	28

C:\Users\Admin\AppData\Local\Temp\d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe
"C:\Users\Admin\AppData\Local\Temp\d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uDZVnTsFTKA9cjc.exe

Filesize
17KB

MD5
47ecf82179be6c85c5bc6fd5dff48c2e

SHA1
7faad744d93b10062362c1d98219186122ae4625

SHA256
855ab5f820e5d635efb39c84b54a3e8f0b68aafd5157b4931cae01dc6794cdb1

SHA512
23002f968f16e3881d38d73fe2aca0f24067eb857ae5a4c1b139ab1319b444b727e9e069a05379f8c6dc7d3ac4cfc0eae2f7f6110c4635291adbb709ddf2d0f0

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
5e7c375139b7453abd0b91a8a220f8e5

SHA1
88a3d645fab0f4129c1e485c90b593ab60e469ae

SHA256
36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

SHA512
0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads