Malware Analysis Report

2024-11-15 06:33

Sample ID 240614-dsmvwatarb
Target ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd
SHA256 ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd

Threat Level: Shows suspicious behavior

The file ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:16

Reported

2024-06-14 03:18

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe N/A
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe

"C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe"

C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe

C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe

MD5 2ffc9a24492c0a1af4d562f0c7608aa5
SHA1 1fd5ff6136fba36e9ee22598ecd250af3180ee53
SHA256 69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721
SHA512 03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe

MD5 3d280465f90c18f551fed615ef3ef6cb
SHA1 11caafd20a00aebaef3149826dbdbe15149004dd
SHA256 5a3393edc493423bffb631a9d34d01f133dd94e4753d707f5cea48682662ccb9
SHA512 a94f5adb8a791bae30afe2feaf3f984d86ce88107283c4ef06decc9d4b6d4a1fa4a386ce469e871b313ac5bca79109914895e77534ac4de4abb2631857cadb52

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:16

Reported

2024-06-14 03:18

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe N/A
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe

"C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe"

C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe

C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe

MD5 2ffc9a24492c0a1af4d562f0c7608aa5
SHA1 1fd5ff6136fba36e9ee22598ecd250af3180ee53
SHA256 69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721
SHA512 03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 135b8120d9767e95de63c7ddf28f85bd
SHA1 392503253bb324985e5a196be65e3ed58b6bc8c1
SHA256 9698e4f0375803a4fd5c3a2503814ab7d85623d2798fc5c2e61f4ab0e9c05377
SHA512 a10b47e4442fa4c53961aa969133adc3e591f4ec20be0fc2f73d290b88090b223b2d82b2fc30290715f15e52968375f47a0b06538a0668a1202ad6e2179c079a