Analysis Overview
SHA256
cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1
Threat Level: Shows suspicious behavior
The file cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:39
Reported
2024-06-13 02:42
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1004 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | C:\Windows\svhost.exe |
| PID 1004 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | C:\Windows\svhost.exe |
| PID 1004 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe
"C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 0851138838667cdefa0452704c1fc5b0 |
| SHA1 | a584fbbfd1db20640404295ebf97c2ef5eb1a510 |
| SHA256 | 34224fbec12630e039f9cceaa637d49298508e97ef1fffbddd42b064fe36bd7a |
| SHA512 | a17689a262da565dbe4c6ae808b0375f21e11f52c6482e22a1cabfb90dc47bb292587e0c5cec7c7f805b90613d1e3b9deb9360104a1cef8eb5e6f7265bdb818a |
C:\Users\Admin\AppData\Local\Temp\TSafWm1DPNLxTPt.exe
| MD5 | c702431f733e076ed63fe4729792b2a8 |
| SHA1 | db95c401d1318f56ffeb881e817f4678aa8cb39e |
| SHA256 | be9dd75578c1b52dd80b06064ca79c8a1124322c7465f054198bf0b2bf0a71c6 |
| SHA512 | 502849a773196301c78673c895a98edb972f16eed077f4dc4ff14fa90e8f9be96b5b12809398463e0649a322bb4192ba6df890608cadc31b750ec117ac188dc8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:39
Reported
2024-06-13 02:42
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | C:\Windows\svhost.exe |
| PID 1280 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | C:\Windows\svhost.exe |
| PID 1280 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | C:\Windows\svhost.exe |
| PID 1280 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe
"C:\Users\Admin\AppData\Local\Temp\cd5b3127439a69d4b8783f6f555aa419133cf3a388d0374b137a62a869ff1aa1.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\qqR47ZtDVvD0bER.exe
| MD5 | 30594a2175ff0cdc1ef91623070584c6 |
| SHA1 | 6bba4df24b1ac9d1946eef6aae081f9f783047fa |
| SHA256 | e6a9da3f505be17143ef3b0deccf2aede4a95bd1208ce9657bb72aee41e88a91 |
| SHA512 | e1cea0438df2f5112fae99c5abf0d1c9c9ce72d0901dafe14227dd04855cf38eefcc85b121044a05744515b5d5b103f23ed7316dc77f621121ea40fae3f5ef94 |