Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 23:48

General

  • Target

    5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe

  • Size

    17KB

  • MD5

    db5f0149f1d75754a72841ee4f96fdd5

  • SHA1

    b3682abc1b98ea0e4cc00d5ac646d8e2411e2e39

  • SHA256

    5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2

  • SHA512

    c0ee78e1e9bc619267f56cc08b1e243780dab210e99ebd7495db4f89e5fa8b76f27e12febffea4c232d75559fb7e5ce70e4150c51b66501a7c6e164dd09a09bf

  • SSDEEP

    384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/CX:ljjAQ+BzWPEwnE+KHM2/CX

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe
    "C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4924
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
    1⤵
      PID:4760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

      Filesize

      339KB

      MD5

      1e1960c51c1ae5d7ea832e6d2a0ed4f0

      SHA1

      9865bc20f6faa7eb98c96ec50365688e707a66ab

      SHA256

      0698442084f8726e85e098d6e7992332a070ef671f3b5da0bfd44cee9b89eead

      SHA512

      44bf54e30c4cf5a1c2a0ceedef0ccff63a47c34c98d02cc7f7117964e1367988605abe109b7e6ab87513d16093dedab84186d083c4e8c7a1202c82277e5d8f3d

    • C:\Users\Admin\AppData\Local\Temp\yEC5wO5t3R1Sofl.exe

      Filesize

      17KB

      MD5

      96d60876b4622b7de47a3b947874fcd8

      SHA1

      3ef77e08bc6b9ef0e87a9dc3d24161bea10b8253

      SHA256

      80e94dcddf8cb99fbd6a15c2995d43156fa771728e49a97ef37bd7abc65efecd

      SHA512

      5e8618ed13ebb806493af5404f60a97118b4e48f562f13bb57115135cce447a8220a84ac817b5d4f92306f36dd8c4c97d2f9c210e14d57e40a3d6a9ef3211f12

    • C:\Windows\svhost.exe

      Filesize

      16KB

      MD5

      5e7c375139b7453abd0b91a8a220f8e5

      SHA1

      88a3d645fab0f4129c1e485c90b593ab60e469ae

      SHA256

      36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

      SHA512

      0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2