Malware Analysis Report

2024-11-13 14:02

Sample ID 240613-gasvyszdjk
Target ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e
SHA256 ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e

Threat Level: Shows suspicious behavior

The file ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:36

Reported

2024-06-13 05:39

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe

"C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\6Mfo8n3YHsAhcuw.exe

MD5 b93986b7eb78e7553bbdfa911f2d2a13
SHA1 b617407349ec7b555da2fc2a3d35545f772a4f4c
SHA256 983526fd77867d0e69694d0af891c6b130569dd8339306babb82df22e4dbfefe
SHA512 5771de22f23729a39a4e74e75deecf8a9867119b3c6828e4afbe6a1e108e97f4d89b8fe569d15dfd2df703c1ac5b02c20e5a11921bea4973856b7724bd70aa8d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:36

Reported

2024-06-13 05:39

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe

"C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 b4684eb46b7a4d5fef45453110e124eb
SHA1 e61f2187653f639a342be1fc78014e1d3ccb4257
SHA256 15a0b155784a4e1c87c84d75a9eecabecc2dd72a45238f2c4583798e6739c399
SHA512 a050df618d2d906417de10e952457e21d7dafcf6bc101ee8e7da2f4cc1824c64db5c5c0d0d0811e582abfec929525efcaa65fff15e2246b2e4bec37ea0bdebfe

C:\Users\Admin\AppData\Local\Temp\NqgI5Ljy8C89PJy.exe

MD5 04723ed2ff0b64d2a2b7c817d2b350b7
SHA1 52ae66db8396696b97172ccc6622da677fb71595
SHA256 7cb5b85667468d043576498b3f4c3d04de5e8cc7b96964069ba2b2f0d85f1cd0
SHA512 8f58cb52af9c300f9e353cab0c76e2054b51b17eaf8cb858cc59410ab95e123de1c576db194362aa17ac1566aa45fca88c18a2530e1b4c634f5d457f6e3af48c