Analysis Overview
SHA256
ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd
Threat Level: Shows suspicious behavior
The file ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 03:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 03:16
Reported
2024-06-14 03:18
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe
"C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe"
C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe
C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe
| MD5 | 2ffc9a24492c0a1af4d562f0c7608aa5 |
| SHA1 | 1fd5ff6136fba36e9ee22598ecd250af3180ee53 |
| SHA256 | 69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721 |
| SHA512 | 03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d |
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\spOU4bKmwHqFUSo.exe
| MD5 | 3d280465f90c18f551fed615ef3ef6cb |
| SHA1 | 11caafd20a00aebaef3149826dbdbe15149004dd |
| SHA256 | 5a3393edc493423bffb631a9d34d01f133dd94e4753d707f5cea48682662ccb9 |
| SHA512 | a94f5adb8a791bae30afe2feaf3f984d86ce88107283c4ef06decc9d4b6d4a1fa4a386ce469e871b313ac5bca79109914895e77534ac4de4abb2631857cadb52 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 03:16
Reported
2024-06-14 03:18
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 4648 | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe |
| PID 3080 wrote to memory of 4648 | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe |
| PID 3080 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | C:\Windows\svhost.exe |
| PID 3080 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | C:\Windows\svhost.exe |
| PID 3080 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe
"C:\Users\Admin\AppData\Local\Temp\ba2ee72bcb18e987c63e2bd1c24f6b43d82d5e74d537d42f0b0b545f37c4dfdd.exe"
C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe
C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\LovCi6HYZEcbPU9.exe
| MD5 | 2ffc9a24492c0a1af4d562f0c7608aa5 |
| SHA1 | 1fd5ff6136fba36e9ee22598ecd250af3180ee53 |
| SHA256 | 69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721 |
| SHA512 | 03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d |
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 135b8120d9767e95de63c7ddf28f85bd |
| SHA1 | 392503253bb324985e5a196be65e3ed58b6bc8c1 |
| SHA256 | 9698e4f0375803a4fd5c3a2503814ab7d85623d2798fc5c2e61f4ab0e9c05377 |
| SHA512 | a10b47e4442fa4c53961aa969133adc3e591f4ec20be0fc2f73d290b88090b223b2d82b2fc30290715f15e52968375f47a0b06538a0668a1202ad6e2179c079a |