Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:36

General

  • Target

    b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe

  • Size

    17KB

  • MD5

    e1a0d16fb63611d0f93c70162a60e9e3

  • SHA1

    44df1a5a91fae7dab7f894fa0bd35f4f7a1cdb95

  • SHA256

    b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c

  • SHA512

    4d9b9bd7b52985ede9335b16deed8c8d2d8c564aa0be2b39188194a96c35e8966f31f425f044949deb44d83b3fb00100bf677f60a79417215fdc0b4d37937553

  • SSDEEP

    384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/LK:ljjAQ+BzWPEwnE+KHM2/G

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe
    "C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    338KB

    MD5

    cf83fb8535773938dfaecb168a729fca

    SHA1

    b767019afe4740a878d01019c6d30fec0e1ba72b

    SHA256

    1eb8a1dca20230031cdb55d37a437d159f5628f9ded53308c27748ac69bcbc89

    SHA512

    622c455cbf47f753a19df9516cb59b8452feb92763f777ef2d1be708380d29cc62d055b4adf855fa830d7062975ca73632e2e264f749fc2f9704e8136fbf3e32

  • C:\Users\Admin\AppData\Local\Temp\auSS6ujYuoik4lM.exe

    Filesize

    17KB

    MD5

    8e7ab156a41725d6cf2b71df57c1e98b

    SHA1

    6a82ad9cdd8c70ff84b71ab0b442c7babf668dcc

    SHA256

    3867ad0b7a6eaf7516647fdf2e2381258c8283ea178a66bb020247dc79dfa038

    SHA512

    5814a89f94e007464409bf47ec2dd7bf4963bb24888621d99de75a3b52625ec71340b77e1fc4d2246079c08c72646c6ebd8d3b970d0bd385cd65ffb17b0d2a49

  • C:\Windows\svhost.exe

    Filesize

    16KB

    MD5

    5e7c375139b7453abd0b91a8a220f8e5

    SHA1

    88a3d645fab0f4129c1e485c90b593ab60e469ae

    SHA256

    36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

    SHA512

    0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2