Malware Analysis Report

2024-11-15 06:33

Sample ID 240614-c3snfawcqj
Target b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c
SHA256 b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c

Threat Level: Shows suspicious behavior

The file b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:36

Reported

2024-06-14 02:38

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe

"C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 5e7c375139b7453abd0b91a8a220f8e5
SHA1 88a3d645fab0f4129c1e485c90b593ab60e469ae
SHA256 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA512 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

C:\Users\Admin\AppData\Local\Temp\vyhxbVMR1GAotK5.exe

MD5 5d285d5dc9b25a2898607c58d547de68
SHA1 c86a0540eec9bf680b984b7f258140e4f56fc1d4
SHA256 8a4d8db5276009c0369fc25d83b9e5465e98cbb1f0742a71ecda814cde0c5448
SHA512 2f705f7a137d188230bbbb6d0d09e16f3594a675377a96e8c9986a9ee7d2768ee9b9240bcdd797ccd2dc89918d12b4df5f6f01a4d18cd988eb11980e1e96c853

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:36

Reported

2024-06-14 02:39

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe

"C:\Users\Admin\AppData\Local\Temp\b60e9c145eaab63db88cad3eb6f42eb9aa101cf50b67abe8924f55bdeae4e29c.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\svhost.exe

MD5 5e7c375139b7453abd0b91a8a220f8e5
SHA1 88a3d645fab0f4129c1e485c90b593ab60e469ae
SHA256 36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA512 0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 cf83fb8535773938dfaecb168a729fca
SHA1 b767019afe4740a878d01019c6d30fec0e1ba72b
SHA256 1eb8a1dca20230031cdb55d37a437d159f5628f9ded53308c27748ac69bcbc89
SHA512 622c455cbf47f753a19df9516cb59b8452feb92763f777ef2d1be708380d29cc62d055b4adf855fa830d7062975ca73632e2e264f749fc2f9704e8136fbf3e32

C:\Users\Admin\AppData\Local\Temp\auSS6ujYuoik4lM.exe

MD5 8e7ab156a41725d6cf2b71df57c1e98b
SHA1 6a82ad9cdd8c70ff84b71ab0b442c7babf668dcc
SHA256 3867ad0b7a6eaf7516647fdf2e2381258c8283ea178a66bb020247dc79dfa038
SHA512 5814a89f94e007464409bf47ec2dd7bf4963bb24888621d99de75a3b52625ec71340b77e1fc4d2246079c08c72646c6ebd8d3b970d0bd385cd65ffb17b0d2a49