Analysis Overview
SHA256
8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f
Threat Level: Shows suspicious behavior
The file 8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:44
Reported
2024-06-13 04:46
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1296 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | C:\Windows\svhost.exe |
| PID 1296 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | C:\Windows\svhost.exe |
| PID 1296 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | C:\Windows\svhost.exe |
| PID 1296 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe
"C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\uZifQtOrtibLSLU.exe
| MD5 | 23ef82d1cddeac627d75e3b52f33618b |
| SHA1 | 20231f86034600c131ce76bfad3e9ca645b5fd25 |
| SHA256 | 266d6ceeb6c7f60cef941687fb578f5cdcc7297d179dd56519cf6b85a4b38939 |
| SHA512 | 8d02857895ae22954862d902da6c1c8854a64490e0dc74d760aa23b3d6fa39738e55ce9e2945694e8adab519130934590e7eec7039e0f8ec2f06ac1c9599efa2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:44
Reported
2024-06-13 04:47
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4472 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | C:\Windows\svhost.exe |
| PID 4472 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | C:\Windows\svhost.exe |
| PID 4472 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe
"C:\Users\Admin\AppData\Local\Temp\8d190a12f39b0afd242ce719f1071e037494fca8f506487ef1723f021a99a41f.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | cac45b29611e738176e47533a06ca10f |
| SHA1 | 2a838c4b41f9ec56b2b89193cdd7f141e2413930 |
| SHA256 | d045e26b0c22f18abeed0686ae74002a6f83d0403e55f854fbfc6b55428936d2 |
| SHA512 | c7983daf01cb449bcb03d64b88a8bc4d788d13179dabb1d822301c0899717b1b786bc3a8803a19a60c9428522e974b912a2a77997ae0c4e93f1f250e0fa83163 |
C:\Users\Admin\AppData\Local\Temp\ebY0zLu9h1Tf0Vp.exe
| MD5 | 5b0fa0c3c7ff8d27175edc60acff1308 |
| SHA1 | 97fdcdb4f4ca9677f39593ecb2efef66865cb3c6 |
| SHA256 | 9066f3e4e3966e4af2c7a2e3e969308c989d995afa6e1349015f127493a2a2ff |
| SHA512 | 76804cee7ecce2e2522a23f537101de454d1b75bbc3456476ab970052b69840d9f501fb1213ee37d8f2dbc6780b22284a88efb9804436eb14f90e474d7535ae5 |