Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe
Resource
win10v2004-20240611-en
General
-
Target
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe
-
Size
17KB
-
MD5
e1a0d16fb63611d0f93c70162a60e9e3
-
SHA1
44df1a5a91fae7dab7f894fa0bd35f4f7a1cdb95
-
SHA256
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c
-
SHA512
4d9b9bd7b52985ede9335b16deed8c8d2d8c564aa0be2b39188194a96c35e8966f31f425f044949deb44d83b3fb00100bf677f60a79417215fdc0b4d37937553
-
SSDEEP
384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/LK:ljjAQ+BzWPEwnE+KHM2/G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4624 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exesvhost.exedescription pid process Token: SeDebugPrivilege 1120 b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe Token: SeDebugPrivilege 4624 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exedescription pid process target process PID 1120 wrote to memory of 4624 1120 b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe svhost.exe PID 1120 wrote to memory of 4624 1120 b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe svhost.exe PID 1120 wrote to memory of 4624 1120 b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5cf83fb8535773938dfaecb168a729fca
SHA1b767019afe4740a878d01019c6d30fec0e1ba72b
SHA2561eb8a1dca20230031cdb55d37a437d159f5628f9ded53308c27748ac69bcbc89
SHA512622c455cbf47f753a19df9516cb59b8452feb92763f777ef2d1be708380d29cc62d055b4adf855fa830d7062975ca73632e2e264f749fc2f9704e8136fbf3e32
-
Filesize
17KB
MD58e7ab156a41725d6cf2b71df57c1e98b
SHA16a82ad9cdd8c70ff84b71ab0b442c7babf668dcc
SHA2563867ad0b7a6eaf7516647fdf2e2381258c8283ea178a66bb020247dc79dfa038
SHA5125814a89f94e007464409bf47ec2dd7bf4963bb24888621d99de75a3b52625ec71340b77e1fc4d2246079c08c72646c6ebd8d3b970d0bd385cd65ffb17b0d2a49
-
Filesize
16KB
MD55e7c375139b7453abd0b91a8a220f8e5
SHA188a3d645fab0f4129c1e485c90b593ab60e469ae
SHA25636ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA5120805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2