Malware Analysis Report

2024-11-13 14:27

Sample ID 240613-e8hrjaxhnq
Target 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661
SHA256 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661

Threat Level: Shows suspicious behavior

The file 5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:36

Reported

2024-06-13 04:39

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe

"C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\NwUu5QGRvTccLLh.exe

MD5 584511a294def0b7c3e4dcaceda7f8cf
SHA1 9e4af37a4a69c977eb02bccf1a743b6848be00f6
SHA256 7eed3a95a3bd89093d8725a90d7e354d76fdceb069da65adf3aa419a32546d73
SHA512 2dbf54f8eb17624d0b2592c8281502060b7bf5462dc4dd95b02d53d063713c310d0041691152dde6eeb7287e7ea9b26eeba80a4434afcb99377820997e7216db

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:36

Reported

2024-06-13 04:39

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe

"C:\Users\Admin\AppData\Local\Temp\5769d0e90af5997fb3e2b480ca246714dd691952e884661dcae843b67931d661.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 d7b5d2151d86dee7872428c064bf94bd
SHA1 89def880187db0eb00b221e97c8cbe26d966dd8a
SHA256 d50e4cae2bca0aa3dc6ca872dc9966f6ca0ccd9731400202d9b145de0a0cc8b0
SHA512 1e85b137957945d31045233f26c2a4be92541ab9f23d3b3f3183175eac48c6a7ed82a92fb26fb7ee748be5e5c4ca208ee97621c219ea9e20a06eaa4f9e640380

C:\Users\Admin\AppData\Local\Temp\m5CQMkdSACJOlE2.exe

MD5 e7658731f2d4127b4afd9741b938936a
SHA1 63e6e2781e81204718b9158e55aa5129f2a028b0
SHA256 8e17f7c9c14f030ffa2604e03c33f3057434bb2775a59b318d0378b1d35c4012
SHA512 98d42c20b233ce132689da0d16cd14c54b89f216f0b8f7b6131b2cefa42d6cd5d0ded1252bd720dbb855ab5015b85069259bcd8549316bb8162e65cdf045037a