Malware Analysis Report

2024-11-30 05:57

Sample ID 240614-hc47fasdpk
Target 1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51
SHA256 1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51

Threat Level: Shows suspicious behavior

The file 1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:36

Reported

2024-06-14 06:39

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe N/A
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe

"C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Temp\zFg14FKtpk9Tv0T.exe

MD5 bb8afe144d034496bd70e7312e1ae486
SHA1 466c356b7c0cb5de6b70ac8913cd97f606cc9fef
SHA256 67b11baf831bd5fe60786db0a2f9b76bedecb0e8394c94dd71d4ce4b31f3555b
SHA512 b8efeac81d24baa2d2016e3c2808d478a5ddd80d45d56d09795d37e729721bbeedfc58fc4e9fe75e4dc844141a449939ae46e80c882eeaf6e4b41feed11426e8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:36

Reported

2024-06-14 06:39

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" C:\Windows\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Windows\svhost.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe

"C:\Users\Admin\AppData\Local\Temp\1943cc178ba7d1221f61686052259f025eea05affe544e9fbdfe69252f1f4b51.exe"

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 app.csvhost.info udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 app.csvhost.info udp

Files

C:\Windows\svhost.exe

MD5 76fd02b48297edb28940bdfa3fa1c48a
SHA1 bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA256 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA512 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 f68d637c36446fa684b62407032e5783
SHA1 ca018fc8fed62128dc91a48d819198c70bc4540f
SHA256 508389bcd03ab0f83d9b31d6d45ef8d7053ccd5e654bf86a6710c967f2f38efe
SHA512 5c05c468cae0813011eb33e3de6f69958e07ff615566c7ea7d6ad75fa7957915ef19d96389650554eff52960094c46093f6fc9a746a602d5d799ff3356ee42df

C:\Users\Admin\AppData\Local\Temp\7feyC4ofWUsHfMq.exe

MD5 d5fb6442aa7d471f3704a3066929ff07
SHA1 03a345da46860731a0f7ac6eeca9196963c2a317
SHA256 a3be58460ecea8293f1b57ee05822a2a7ce3d86cd52f04bbb38f2be918d6eb89
SHA512 0b51a1ef3352bea7261973bcadb7d8e8cad427f8d48d236164fd593e3ce08b70c2ed8ef8f7892d4eed2494a7e29754a0b8da60dc3b0e7076031c4f367bab593a