Malware Analysis Report

2024-11-30 04:44

Sample ID 240613-c5p1bs1gla
Target cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1
SHA256 cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1

Threat Level: Shows suspicious behavior

The file cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:39

Reported

2024-06-13 02:42

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe

"C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 0851138838667cdefa0452704c1fc5b0
SHA1 a584fbbfd1db20640404295ebf97c2ef5eb1a510
SHA256 34224fbec12630e039f9cceaa637d49298508e97ef1fffbddd42b064fe36bd7a
SHA512 a17689a262da565dbe4c6ae808b0375f21e11f52c6482e22a1cabfb90dc47bb292587e0c5cec7c7f805b90613d1e3b9deb9360104a1cef8eb5e6f7265bdb818a

C:\Users\Admin\AppData\Local\Temp\TSafWm1DPNLxTPt.exe

MD5 c702431f733e076ed63fe4729792b2a8
SHA1 db95c401d1318f56ffeb881e817f4678aa8cb39e
SHA256 be9dd75578c1b52dd80b06064ca79c8a1124322c7465f054198bf0b2bf0a71c6
SHA512 502849a773196301c78673c895a98edb972f16eed077f4dc4ff14fa90e8f9be96b5b12809398463e0649a322bb4192ba6df890608cadc31b750ec117ac188dc8

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:39

Reported

2024-06-13 02:42

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe

"C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\qqR47ZtDVvD0bER.exe

MD5 30594a2175ff0cdc1ef91623070584c6
SHA1 6bba4df24b1ac9d1946eef6aae081f9f783047fa
SHA256 e6a9da3f505be17143ef3b0deccf2aede4a95bd1208ce9657bb72aee41e88a91
SHA512 e1cea0438df2f5112fae99c5abf0d1c9c9ce72d0901dafe14227dd04855cf38eefcc85b121044a05744515b5d5b103f23ed7316dc77f621121ea40fae3f5ef94