Malware Analysis Report

2024-11-30 04:19

Sample ID 240613-a2mppa1elk
Target 170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865
SHA256 170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865

Threat Level: Shows suspicious behavior

The file 170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:42

Reported

2024-06-13 00:45

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe

"C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\gZ5qlI8wrgGc1CU.exe

MD5 09707d1b17ad4a35679231013d61c88a
SHA1 3b1d8883a935d37837ecf3fb2edd966667c50c39
SHA256 3163a2e0d03ed4df990971656d05a72230530c4d3d41570506e9c8e5c98d44ed
SHA512 0f67ef40d4d9b8deb5ce2a9d42aa4d3e659c5e195d8a28dde90ed14b28fdf331a008c510e7217d4ba0618b72ebd6cd01f1e0c73d0e8b7533f86e5f45bbcff7d9

C:\Users\Admin\AppData\Local\Temp\1542252182\zmstage.exe.orig

MD5 811296c83eca9f4e89860ac101d0942f
SHA1 d5f02843a1dc6cc54414fcb5ce4be37e0cf07f36
SHA256 a717f8fbf8dcaa9cfba1ea1db193d6401a6948f9186f69b431b095b77a6d0076
SHA512 5bb43ae4a79c91dc7a5c4e74bf882e5f0b1e4811090b14fa508c2e5ddd0fd95f0de9773b7dfd59464d2b0908b5b223c371809c5c76324b8eed26b0517348b9c0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:42

Reported

2024-06-13 00:45

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe

"C:\Users\Admin\AppData\Local\Temp\170e3c596d1a483ffc269a2ed19be20c70466d1bc3aa31a21a5d0e7b2d301865.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 664f3811e79aae71ab91bda2295f5d54
SHA1 ec5e238872767b9ff6045e988b1fc9b8c89b1249
SHA256 b5041fdf484549c2355a15e0b3ecebc53b3e80050452952412b71b3e395e56be
SHA512 cbf705bd65fc27f2792de83addeedf1a2cd10d301e19c22a31a0b8c54a9964a8be23af099eeb26fa4c20c538e4971fb7ec2da1cc2006ae51ae184d5d3e0386e3

C:\Users\Admin\AppData\Local\Temp\Zjt7BWyppOlHVSj.exe

MD5 2dd40786680d32b0107969baa5a170d0
SHA1 fd7872954d40ffa5324083c1dbccdefb5793c189
SHA256 8f6a5923b793bd146067634da4a52de5e49de35e8bdc1e70a9d42176583fb84a
SHA512 6df9b788ea5bdb65321da3b2b5a6e9b18be8b0521ae3c61eb05347e154760662046998392648924fd8b084172e8bd8971b744ac6b2598e869e2671bfb7935f48