Analysis Overview
SHA256
5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661
Threat Level: Shows suspicious behavior
The file 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:36
Reported
2024-06-13 04:39
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2476 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | C:\Windows\svhost.exe |
| PID 2476 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | C:\Windows\svhost.exe |
| PID 2476 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | C:\Windows\svhost.exe |
| PID 2476 wrote to memory of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe
"C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\NwUu5QGRvTccLLh.exe
| MD5 | 584511a294def0b7c3e4dcaceda7f8cf |
| SHA1 | 9e4af37a4a69c977eb02bccf1a743b6848be00f6 |
| SHA256 | 7eed3a95a3bd89093d8725a90d7e354d76fdceb069da65adf3aa419a32546d73 |
| SHA512 | 2dbf54f8eb17624d0b2592c8281502060b7bf5462dc4dd95b02d53d063713c310d0041691152dde6eeb7287e7ea9b26eeba80a4434afcb99377820997e7216db |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:36
Reported
2024-06-13 04:39
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4928 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | C:\Windows\svhost.exe |
| PID 4928 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | C:\Windows\svhost.exe |
| PID 4928 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe
"C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.186:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 186.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | d7b5d2151d86dee7872428c064bf94bd |
| SHA1 | 89def880187db0eb00b221e97c8cbe26d966dd8a |
| SHA256 | d50e4cae2bca0aa3dc6ca872dc9966f6ca0ccd9731400202d9b145de0a0cc8b0 |
| SHA512 | 1e85b137957945d31045233f26c2a4be92541ab9f23d3b3f3183175eac48c6a7ed82a92fb26fb7ee748be5e5c4ca208ee97621c219ea9e20a06eaa4f9e640380 |
C:\Users\Admin\AppData\Local\Temp\m5CQMkdSACJOlE2.exe
| MD5 | e7658731f2d4127b4afd9741b938936a |
| SHA1 | 63e6e2781e81204718b9158e55aa5129f2a028b0 |
| SHA256 | 8e17f7c9c14f030ffa2604e03c33f3057434bb2775a59b318d0378b1d35c4012 |
| SHA512 | 98d42c20b233ce132689da0d16cd14c54b89f216f0b8f7b6131b2cefa42d6cd5d0ded1252bd720dbb855ab5015b85069259bcd8549316bb8162e65cdf045037a |