db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec

Analysis

max time kernel
91s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe
Size

17KB
MD5

09a6ec275881cae7d8c56940f685340b
SHA1

6566cf8a7fc7cd2e0bd755f79ee4007de8f9cb41
SHA256

db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec
SHA512

fad1332ca928ff3cbd89c29f1c1e3322c5312c964123ee5232d2e64d6b94e6a257d320e0be482445eadf43f234e1822e1354dce43549c55b872b41d1581af049
SSDEEP

384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/br:ljjAQ+BzWPEwnE+KHM2/br

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3776	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe
Token: SeDebugPrivilege	3776	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 3776	3412	db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe	86
PID 3412 wrote to memory of 3776	3412	db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe	86
PID 3412 wrote to memory of 3776	3412	db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe	86

C:\Users\Admin\AppData\Local\Temp\db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe
"C:\Users\Admin\AppData\Local\Temp\db1fa616ac84d4bd108f8c2fd15b06e0b1add98933f3b54414fcb6b248fcccec.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
338KB

MD5
068480611de6c66e3bfc26519d829bcb

SHA1
fa76c2e5fb1928415fac2b2863da14bfdf13aafa

SHA256
f94d0fcc34846d00fd0900b8f423fc87cd8aedcfe583af5fc35164b5edcb3840

SHA512
e774b60667578a91761368bbc8c1527f99c5973f9b22f8b6c76131e8ed54733f0a9ad62afa653c05e39a8a26bd3bc60042217998f30ce2b4a46b005006c1d779

Download Submit
C:\Users\Admin\AppData\Local\Temp\90oOzztqCPSW7ro.exe

Filesize
17KB

MD5
b63637ef51e54cff9773806b04544499

SHA1
5c3fd7498ac6a3f6b255cdb744b645c99243c858

SHA256
5191ba44c1e374d6cf85847578f5ef43083aa052335dc1f49d30e93691f334f9

SHA512
f945cbb78a3cf6ac989b598a36e36533a0b3f3161a3ac53e8653ba6ecc987abe915444db287b4afb1e51a86ce6c48df3d90bbd0c2315cd0ca1a1b52e2e365a65

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
5e7c375139b7453abd0b91a8a220f8e5

SHA1
88a3d645fab0f4129c1e485c90b593ab60e469ae

SHA256
36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

SHA512
0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads