Analysis Overview
SHA256
1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51
Threat Level: Shows suspicious behavior
The file 1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:36
Reported
2024-06-14 06:39
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1920 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | C:\Windows\svhost.exe |
| PID 1920 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | C:\Windows\svhost.exe |
| PID 1920 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | C:\Windows\svhost.exe |
| PID 1920 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe
"C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\zFg14FKtpk9Tv0T.exe
| MD5 | bb8afe144d034496bd70e7312e1ae486 |
| SHA1 | 466c356b7c0cb5de6b70ac8913cd97f606cc9fef |
| SHA256 | 67b11baf831bd5fe60786db0a2f9b76bedecb0e8394c94dd71d4ce4b31f3555b |
| SHA512 | b8efeac81d24baa2d2016e3c2808d478a5ddd80d45d56d09795d37e729721bbeedfc58fc4e9fe75e4dc844141a449939ae46e80c882eeaf6e4b41feed11426e8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:36
Reported
2024-06-14 06:39
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2152 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | C:\Windows\svhost.exe |
| PID 2152 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | C:\Windows\svhost.exe |
| PID 2152 wrote to memory of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe
"C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe"
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | f68d637c36446fa684b62407032e5783 |
| SHA1 | ca018fc8fed62128dc91a48d819198c70bc4540f |
| SHA256 | 508389bcd03ab0f83d9b31d6d45ef8d7053ccd5e654bf86a6710c967f2f38efe |
| SHA512 | 5c05c468cae0813011eb33e3de6f69958e07ff615566c7ea7d6ad75fa7957915ef19d96389650554eff52960094c46093f6fc9a746a602d5d799ff3356ee42df |
C:\Users\Admin\AppData\Local\Temp\7feyC4ofWUsHfMq.exe
| MD5 | d5fb6442aa7d471f3704a3066929ff07 |
| SHA1 | 03a345da46860731a0f7ac6eeca9196963c2a317 |
| SHA256 | a3be58460ecea8293f1b57ee05822a2a7ce3d86cd52f04bbb38f2be918d6eb89 |
| SHA512 | 0b51a1ef3352bea7261973bcadb7d8e8cad427f8d48d236164fd593e3ce08b70c2ed8ef8f7892d4eed2494a7e29754a0b8da60dc3b0e7076031c4f367bab593a |