Malware Analysis Report

2024-11-13 14:27

Sample ID 240613-fc1sxaybkp
Target 8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f
SHA256 8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f

Threat Level: Shows suspicious behavior

The file 8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:44

Reported

2024-06-13 04:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe

"C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\uZifQtOrtibLSLU.exe

MD5 23ef82d1cddeac627d75e3b52f33618b
SHA1 20231f86034600c131ce76bfad3e9ca645b5fd25
SHA256 266d6ceeb6c7f60cef941687fb578f5cdcc7297d179dd56519cf6b85a4b38939
SHA512 8d02857895ae22954862d902da6c1c8854a64490e0dc74d760aa23b3d6fa39738e55ce9e2945694e8adab519130934590e7eec7039e0f8ec2f06ac1c9599efa2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:44

Reported

2024-06-13 04:47

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe

"C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 cac45b29611e738176e47533a06ca10f
SHA1 2a838c4b41f9ec56b2b89193cdd7f141e2413930
SHA256 d045e26b0c22f18abeed0686ae74002a6f83d0403e55f854fbfc6b55428936d2
SHA512 c7983daf01cb449bcb03d64b88a8bc4d788d13179dabb1d822301c0899717b1b786bc3a8803a19a60c9428522e974b912a2a77997ae0c4e93f1f250e0fa83163

C:\Users\Admin\AppData\Local\Temp\ebY0zLu9h1Tf0Vp.exe

MD5 5b0fa0c3c7ff8d27175edc60acff1308
SHA1 97fdcdb4f4ca9677f39593ecb2efef66865cb3c6
SHA256 9066f3e4e3966e4af2c7a2e3e969308c989d995afa6e1349015f127493a2a2ff
SHA512 76804cee7ecce2e2522a23f537101de454d1b75bbc3456476ab970052b69840d9f501fb1213ee37d8f2dbc6780b22284a88efb9804436eb14f90e474d7535ae5