Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:36
Static task
static1
Behavioral task
behavioral1
Sample
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe
Resource
win10v2004-20240611-en
General
-
Target
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe
-
Size
17KB
-
MD5
7ae111fdce3b99f728c3d517cbe6aed1
-
SHA1
c2e08075bd5df79a035ff05555a9b7d51fee761c
-
SHA256
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661
-
SHA512
57d41b958b49fd1e41afc47db518e14a2f5d5ad63d0433023995e0b3ad763eed58f91a4e780b898c971c67fbcf73ceb8f97f2fbdd459177f70164078cfde1848
-
SSDEEP
384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/XCnBf:IMAQ+BzWPEwnE+KHM2/XCBf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2264 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exesvhost.exedescription pid process Token: SeDebugPrivilege 4928 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe Token: SeDebugPrivilege 2264 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exedescription pid process target process PID 4928 wrote to memory of 2264 4928 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe svhost.exe PID 4928 wrote to memory of 2264 4928 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe svhost.exe PID 4928 wrote to memory of 2264 4928 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5d7b5d2151d86dee7872428c064bf94bd
SHA189def880187db0eb00b221e97c8cbe26d966dd8a
SHA256d50e4cae2bca0aa3dc6ca872dc9966f6ca0ccd9731400202d9b145de0a0cc8b0
SHA5121e85b137957945d31045233f26c2a4be92541ab9f23d3b3f3183175eac48c6a7ed82a92fb26fb7ee748be5e5c4ca208ee97621c219ea9e20a06eaa4f9e640380
-
Filesize
17KB
MD5e7658731f2d4127b4afd9741b938936a
SHA163e6e2781e81204718b9158e55aa5129f2a028b0
SHA2568e17f7c9c14f030ffa2604e03c33f3057434bb2775a59b318d0378b1d35c4012
SHA51298d42c20b233ce132689da0d16cd14c54b89f216f0b8f7b6131b2cefa42d6cd5d0ded1252bd720dbb855ab5015b85069259bcd8549316bb8162e65cdf045037a
-
Filesize
16KB
MD576fd02b48297edb28940bdfa3fa1c48a
SHA1bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA25607abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA51228c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0