Malware Analysis Report

2024-11-30 04:15

Sample ID 240612-3tx5nszbjj
Target 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2
SHA256 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2

Threat Level: Shows suspicious behavior

The file 5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:48

Reported

2024-06-12 23:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe

"C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 5e7c375139b7453abd0b91a8a220f8e5
SHA1 88a3d645fab0f4129c1e485c90b593ab60e469ae
SHA256 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA512 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 1e1960c51c1ae5d7ea832e6d2a0ed4f0
SHA1 9865bc20f6faa7eb98c96ec50365688e707a66ab
SHA256 0698442084f8726e85e098d6e7992332a070ef671f3b5da0bfd44cee9b89eead
SHA512 44bf54e30c4cf5a1c2a0ceedef0ccff63a47c34c98d02cc7f7117964e1367988605abe109b7e6ab87513d16093dedab84186d083c4e8c7a1202c82277e5d8f3d

C:\Users\Admin\AppData\Local\Temp\yEC5wO5t3R1Sofl.exe

MD5 96d60876b4622b7de47a3b947874fcd8
SHA1 3ef77e08bc6b9ef0e87a9dc3d24161bea10b8253
SHA256 80e94dcddf8cb99fbd6a15c2995d43156fa771728e49a97ef37bd7abc65efecd
SHA512 5e8618ed13ebb806493af5404f60a97118b4e48f562f13bb57115135cce447a8220a84ac817b5d4f92306f36dd8c4c97d2f9c210e14d57e40a3d6a9ef3211f12

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:48

Reported

2024-06-12 23:51

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe

"C:\Users\Admin\AppData\Local\Temp\5edc94b641ee6c0a43c3bf07dceca76d61f551dadd60720907e4fabd6ad541d2.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 5e7c375139b7453abd0b91a8a220f8e5
SHA1 88a3d645fab0f4129c1e485c90b593ab60e469ae
SHA256 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA512 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

C:\Users\Admin\AppData\Local\Temp\y87ioXFaOtHyheU.exe

MD5 fd00e10399576ec06678c41d71c021ef
SHA1 703b5e630b685b2357f5c288ff8d1291dee90d00
SHA256 a3d4d9d4c749fe89141778b6734044804379be1559cbcd454ae4c4687d43e0cc
SHA512 187216355dcb0a01f69f48fadf3914d774be30d1ca783af93cf577e35b7741441ffd3ee3dc841d86394e5aa4331076a84811b02d0444b46ec538ae57f3c00faa