Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:36

General

  • Target

    5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe

  • Size

    17KB

  • MD5

    7ae111fdce3b99f728c3d517cbe6aed1

  • SHA1

    c2e08075bd5df79a035ff05555a9b7d51fee761c

  • SHA256

    5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661

  • SHA512

    57d41b958b49fd1e41afc47db518e14a2f5d5ad63d0433023995e0b3ad763eed58f91a4e780b898c971c67fbcf73ceb8f97f2fbdd459177f70164078cfde1848

  • SSDEEP

    384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/XCnBf:IMAQ+BzWPEwnE+KHM2/XCBf

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe
    "C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    339KB

    MD5

    d7b5d2151d86dee7872428c064bf94bd

    SHA1

    89def880187db0eb00b221e97c8cbe26d966dd8a

    SHA256

    d50e4cae2bca0aa3dc6ca872dc9966f6ca0ccd9731400202d9b145de0a0cc8b0

    SHA512

    1e85b137957945d31045233f26c2a4be92541ab9f23d3b3f3183175eac48c6a7ed82a92fb26fb7ee748be5e5c4ca208ee97621c219ea9e20a06eaa4f9e640380

  • C:\Users\Admin\AppData\Local\Temp\m5CQMkdSACJOlE2.exe

    Filesize

    17KB

    MD5

    e7658731f2d4127b4afd9741b938936a

    SHA1

    63e6e2781e81204718b9158e55aa5129f2a028b0

    SHA256

    8e17f7c9c14f030ffa2604e03c33f3057434bb2775a59b318d0378b1d35c4012

    SHA512

    98d42c20b233ce132689da0d16cd14c54b89f216f0b8f7b6131b2cefa42d6cd5d0ded1252bd720dbb855ab5015b85069259bcd8549316bb8162e65cdf045037a

  • C:\Windows\svhost.exe

    Filesize

    16KB

    MD5

    76fd02b48297edb28940bdfa3fa1c48a

    SHA1

    bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

    SHA256

    07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

    SHA512

    28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0