Analysis Overview
SHA256
5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2
Threat Level: Shows suspicious behavior
The file 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 23:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 23:48
Reported
2024-06-12 23:51
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | C:\Windows\svhost.exe |
| PID 2524 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | C:\Windows\svhost.exe |
| PID 2524 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe
"C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 5e7c375139b7453abd0b91a8a220f8e5 |
| SHA1 | 88a3d645fab0f4129c1e485c90b593ab60e469ae |
| SHA256 | 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8 |
| SHA512 | 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 1e1960c51c1ae5d7ea832e6d2a0ed4f0 |
| SHA1 | 9865bc20f6faa7eb98c96ec50365688e707a66ab |
| SHA256 | 0698442084f8726e85e098d6e7992332a070ef671f3b5da0bfd44cee9b89eead |
| SHA512 | 44bf54e30c4cf5a1c2a0ceedef0ccff63a47c34c98d02cc7f7117964e1367988605abe109b7e6ab87513d16093dedab84186d083c4e8c7a1202c82277e5d8f3d |
C:\Users\Admin\AppData\Local\Temp\yEC5wO5t3R1Sofl.exe
| MD5 | 96d60876b4622b7de47a3b947874fcd8 |
| SHA1 | 3ef77e08bc6b9ef0e87a9dc3d24161bea10b8253 |
| SHA256 | 80e94dcddf8cb99fbd6a15c2995d43156fa771728e49a97ef37bd7abc65efecd |
| SHA512 | 5e8618ed13ebb806493af5404f60a97118b4e48f562f13bb57115135cce447a8220a84ac817b5d4f92306f36dd8c4c97d2f9c210e14d57e40a3d6a9ef3211f12 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 23:48
Reported
2024-06-12 23:51
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | C:\Windows\svhost.exe |
| PID 2172 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | C:\Windows\svhost.exe |
| PID 2172 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | C:\Windows\svhost.exe |
| PID 2172 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe
"C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 5e7c375139b7453abd0b91a8a220f8e5 |
| SHA1 | 88a3d645fab0f4129c1e485c90b593ab60e469ae |
| SHA256 | 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8 |
| SHA512 | 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2 |
C:\Users\Admin\AppData\Local\Temp\y87ioXFaOtHyheU.exe
| MD5 | fd00e10399576ec06678c41d71c021ef |
| SHA1 | 703b5e630b685b2357f5c288ff8d1291dee90d00 |
| SHA256 | a3d4d9d4c749fe89141778b6734044804379be1559cbcd454ae4c4687d43e0cc |
| SHA512 | 187216355dcb0a01f69f48fadf3914d774be30d1ca783af93cf577e35b7741441ffd3ee3dc841d86394e5aa4331076a84811b02d0444b46ec538ae57f3c00faa |