Analysis Overview
SHA256
170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865
Threat Level: Shows suspicious behavior
The file 170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 00:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 00:42
Reported
2024-06-13 00:45
Platform
win7-20240611-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | C:\Windows\svhost.exe |
| PID 2392 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | C:\Windows\svhost.exe |
| PID 2392 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | C:\Windows\svhost.exe |
| PID 2392 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe
"C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\gZ5qlI8wrgGc1CU.exe
| MD5 | 09707d1b17ad4a35679231013d61c88a |
| SHA1 | 3b1d8883a935d37837ecf3fb2edd966667c50c39 |
| SHA256 | 3163a2e0d03ed4df990971656d05a72230530c4d3d41570506e9c8e5c98d44ed |
| SHA512 | 0f67ef40d4d9b8deb5ce2a9d42aa4d3e659c5e195d8a28dde90ed14b28fdf331a008c510e7217d4ba0618b72ebd6cd01f1e0c73d0e8b7533f86e5f45bbcff7d9 |
C:\Users\Admin\AppData\Local\Temp\1542252182\zmstage.exe.orig
| MD5 | 811296c83eca9f4e89860ac101d0942f |
| SHA1 | d5f02843a1dc6cc54414fcb5ce4be37e0cf07f36 |
| SHA256 | a717f8fbf8dcaa9cfba1ea1db193d6401a6948f9186f69b431b095b77a6d0076 |
| SHA512 | 5bb43ae4a79c91dc7a5c4e74bf882e5f0b1e4811090b14fa508c2e5ddd0fd95f0de9773b7dfd59464d2b0908b5b223c371809c5c76324b8eed26b0517348b9c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 00:42
Reported
2024-06-13 00:45
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4564 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | C:\Windows\svhost.exe |
| PID 4564 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | C:\Windows\svhost.exe |
| PID 4564 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe
"C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 664f3811e79aae71ab91bda2295f5d54 |
| SHA1 | ec5e238872767b9ff6045e988b1fc9b8c89b1249 |
| SHA256 | b5041fdf484549c2355a15e0b3ecebc53b3e80050452952412b71b3e395e56be |
| SHA512 | cbf705bd65fc27f2792de83addeedf1a2cd10d301e19c22a31a0b8c54a9964a8be23af099eeb26fa4c20c538e4971fb7ec2da1cc2006ae51ae184d5d3e0386e3 |
C:\Users\Admin\AppData\Local\Temp\Zjt7BWyppOlHVSj.exe
| MD5 | 2dd40786680d32b0107969baa5a170d0 |
| SHA1 | fd7872954d40ffa5324083c1dbccdefb5793c189 |
| SHA256 | 8f6a5923b793bd146067634da4a52de5e49de35e8bdc1e70a9d42176583fb84a |
| SHA512 | 6df9b788ea5bdb65321da3b2b5a6e9b18be8b0521ae3c61eb05347e154760662046998392648924fd8b084172e8bd8971b744ac6b2598e869e2671bfb7935f48 |