Analysis Overview
SHA256
b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c
Threat Level: Shows suspicious behavior
The file b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:36
Reported
2024-06-14 02:38
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2860 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | C:\Windows\svhost.exe |
| PID 2860 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | C:\Windows\svhost.exe |
| PID 2860 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | C:\Windows\svhost.exe |
| PID 2860 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe
"C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 5e7c375139b7453abd0b91a8a220f8e5 |
| SHA1 | 88a3d645fab0f4129c1e485c90b593ab60e469ae |
| SHA256 | 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8 |
| SHA512 | 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2 |
C:\Users\Admin\AppData\Local\Temp\vyhxbVMR1GAotK5.exe
| MD5 | 5d285d5dc9b25a2898607c58d547de68 |
| SHA1 | c86a0540eec9bf680b984b7f258140e4f56fc1d4 |
| SHA256 | 8a4d8db5276009c0369fc25d83b9e5465e98cbb1f0742a71ecda814cde0c5448 |
| SHA512 | 2f705f7a137d188230bbbb6d0d09e16f3594a675377a96e8c9986a9ee7d2768ee9b9240bcdd797ccd2dc89918d12b4df5f6f01a4d18cd988eb11980e1e96c853 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:36
Reported
2024-06-14 02:39
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1120 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | C:\Windows\svhost.exe |
| PID 1120 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | C:\Windows\svhost.exe |
| PID 1120 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe
"C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\svhost.exe
| MD5 | 5e7c375139b7453abd0b91a8a220f8e5 |
| SHA1 | 88a3d645fab0f4129c1e485c90b593ab60e469ae |
| SHA256 | 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8 |
| SHA512 | 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | cf83fb8535773938dfaecb168a729fca |
| SHA1 | b767019afe4740a878d01019c6d30fec0e1ba72b |
| SHA256 | 1eb8a1dca20230031cdb55d37a437d159f5628f9ded53308c27748ac69bcbc89 |
| SHA512 | 622c455cbf47f753a19df9516cb59b8452feb92763f777ef2d1be708380d29cc62d055b4adf855fa830d7062975ca73632e2e264f749fc2f9704e8136fbf3e32 |
C:\Users\Admin\AppData\Local\Temp\auSS6ujYuoik4lM.exe
| MD5 | 8e7ab156a41725d6cf2b71df57c1e98b |
| SHA1 | 6a82ad9cdd8c70ff84b71ab0b442c7babf668dcc |
| SHA256 | 3867ad0b7a6eaf7516647fdf2e2381258c8283ea178a66bb020247dc79dfa038 |
| SHA512 | 5814a89f94e007464409bf47ec2dd7bf4963bb24888621d99de75a3b52625ec71340b77e1fc4d2246079c08c72646c6ebd8d3b970d0bd385cd65ffb17b0d2a49 |