Analysis Overview
SHA256
ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e
Threat Level: Shows suspicious behavior
The file ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:36
Reported
2024-06-13 05:39
Platform
win7-20240220-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | C:\Windows\svhost.exe |
| PID 2360 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | C:\Windows\svhost.exe |
| PID 2360 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | C:\Windows\svhost.exe |
| PID 2360 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe
"C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\6Mfo8n3YHsAhcuw.exe
| MD5 | b93986b7eb78e7553bbdfa911f2d2a13 |
| SHA1 | b617407349ec7b555da2fc2a3d35545f772a4f4c |
| SHA256 | 983526fd77867d0e69694d0af891c6b130569dd8339306babb82df22e4dbfefe |
| SHA512 | 5771de22f23729a39a4e74e75deecf8a9867119b3c6828e4afbe6a1e108e97f4d89b8fe569d15dfd2df703c1ac5b02c20e5a11921bea4973856b7724bd70aa8d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:36
Reported
2024-06-13 05:39
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5100 wrote to memory of 4216 | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | C:\Windows\svhost.exe |
| PID 5100 wrote to memory of 4216 | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | C:\Windows\svhost.exe |
| PID 5100 wrote to memory of 4216 | N/A | C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe
"C:\Users\Admin\AppData\Local\Temp\ad75321a09bffb2fbcdab74d1f0869436a5a1cf0c6c7cbacbfaa0c40f06afa7e.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | b4684eb46b7a4d5fef45453110e124eb |
| SHA1 | e61f2187653f639a342be1fc78014e1d3ccb4257 |
| SHA256 | 15a0b155784a4e1c87c84d75a9eecabecc2dd72a45238f2c4583798e6739c399 |
| SHA512 | a050df618d2d906417de10e952457e21d7dafcf6bc101ee8e7da2f4cc1824c64db5c5c0d0d0811e582abfec929525efcaa65fff15e2246b2e4bec37ea0bdebfe |
C:\Users\Admin\AppData\Local\Temp\NqgI5Ljy8C89PJy.exe
| MD5 | 04723ed2ff0b64d2a2b7c817d2b350b7 |
| SHA1 | 52ae66db8396696b97172ccc6622da677fb71595 |
| SHA256 | 7cb5b85667468d043576498b3f4c3d04de5e8cc7b96964069ba2b2f0d85f1cd0 |
| SHA512 | 8f58cb52af9c300f9e353cab0c76e2054b51b17eaf8cb858cc59410ab95e123de1c576db194362aa17ac1566aa45fca88c18a2530e1b4c634f5d457f6e3af48c |