Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 23:48
Static task
static1
Behavioral task
behavioral1
Sample
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe
Resource
win10v2004-20240508-en
General
-
Target
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe
-
Size
17KB
-
MD5
db5f0149f1d75754a72841ee4f96fdd5
-
SHA1
b3682abc1b98ea0e4cc00d5ac646d8e2411e2e39
-
SHA256
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2
-
SHA512
c0ee78e1e9bc619267f56cc08b1e243780dab210e99ebd7495db4f89e5fa8b76f27e12febffea4c232d75559fb7e5ce70e4150c51b66501a7c6e164dd09a09bf
-
SSDEEP
384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/CX:ljjAQ+BzWPEwnE+KHM2/CX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid Process 4924 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exesvhost.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exesvhost.exedescription ioc Process File created C:\Windows\svhost.exe 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exesvhost.exedescription pid Process Token: SeDebugPrivilege 2524 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe Token: SeDebugPrivilege 4924 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exedescription pid Process procid_target PID 2524 wrote to memory of 4924 2524 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe 89 PID 2524 wrote to memory of 4924 2524 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe 89 PID 2524 wrote to memory of 4924 2524 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:81⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD51e1960c51c1ae5d7ea832e6d2a0ed4f0
SHA19865bc20f6faa7eb98c96ec50365688e707a66ab
SHA2560698442084f8726e85e098d6e7992332a070ef671f3b5da0bfd44cee9b89eead
SHA51244bf54e30c4cf5a1c2a0ceedef0ccff63a47c34c98d02cc7f7117964e1367988605abe109b7e6ab87513d16093dedab84186d083c4e8c7a1202c82277e5d8f3d
-
Filesize
17KB
MD596d60876b4622b7de47a3b947874fcd8
SHA13ef77e08bc6b9ef0e87a9dc3d24161bea10b8253
SHA25680e94dcddf8cb99fbd6a15c2995d43156fa771728e49a97ef37bd7abc65efecd
SHA5125e8618ed13ebb806493af5404f60a97118b4e48f562f13bb57115135cce447a8220a84ac817b5d4f92306f36dd8c4c97d2f9c210e14d57e40a3d6a9ef3211f12
-
Filesize
16KB
MD55e7c375139b7453abd0b91a8a220f8e5
SHA188a3d645fab0f4129c1e485c90b593ab60e469ae
SHA25636ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA5120805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2