b474b15d0895ef9f6bd317c0aa884878360701f96e98ed5006529e2c53acb8cd

Analysis

max time kernel
134s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SkypeC0SvcService.exe
Size

7.7MB
MD5

f5fe906f801d99fafa8a9e0584a37008
SHA1

a80175b91e3f9606e63dd0d9a9271e23bbe10321
SHA256

10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b
SHA512

ae149680b212cf0b7f11d841cede275d8e510d3af86c96d75ff75802a8543773a5b7fc9d4c84d4d5fa486d2ddf27129cc42e70d0ea34ca2624f14152ba7497de
SSDEEP

98304:aj7VmLVY+KTszb9eg6eXP+WFtJpoWHy+k6Rftuqy5HnoBWQ4O8fIZr3v7vo+15e9:aj7q5BeDofvyZe4rItfM5fyEFP

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbhubsvc4\Parameters\ServiceDLL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msimg32.dll"	SkypeC0SvcService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	SkypeC0SvcService.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Manager.lnk	SkypeC0SvcService.exe

Loads dropped DLL 7 IoCs

pid	Process
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SkypeC0SvcService.exe = "C:\\Windows\\system32\\regsvr32.exe /s scrrun.dll \"C:\\Users\\Admin\\AppData\\Local\\Temp\\msimg32.dll\" htvrh666 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SkypeC0SvcService.exe\" r"	SkypeC0SvcService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	SkypeC0SvcService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SkypeC0SvcService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SkypeC0SvcService.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe
4284	SkypeC0SvcService.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4284	SkypeC0SvcService.exe
Token: SeShutdownPrivilege	4284	SkypeC0SvcService.exe
Token: SeDebugPrivilege	4284	SkypeC0SvcService.exe

C:\Users\Admin\AppData\Local\Temp\SkypeC0SvcService.exe
"C:\Users\Admin\AppData\Local\Temp\SkypeC0SvcService.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "MsHubSvc4" -svcr "SkypeC0SvcService.exe"
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeamViewer.ini

Filesize
154B

MD5
5b71453ec471c85212da6fd1cc8d6faf

SHA1
68f126c3207a723dea81a07315f63f7bfc76424f

SHA256
11171890b6a5de0df0289fbba78fe8c3e47b3cf77866e60abba0170c3ac2043c

SHA512
15b8bbe8fab86b8dbeab48795d7fe09665b3bed0f6068b1129e634d06ccfde202210fa6e700e184cf85702c0016fb0432f3bf33a091dc246eef09c3f61087fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_en.dll

Filesize
285KB

MD5
5850b0e30cb6493170ea8d073f34766c

SHA1
d80b0181edca5be738f8c1c4355c4785d0360d06

SHA256
97f8b0f6307156c0c74f3309195c376e5d816b3dbd65048c241a8b7e9233eeda

SHA512
a1a8ee334ef763a78214fbc6a915e9adbf0cdbafb6694fac6e70cb68f2aacfcad945c7b4629bf3b729e8b9b3fcd7956c04a63c89fb6bda7111f41f9c8cb96144

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer_StaticRes.dll

Filesize
2.5MB

MD5
4202e46ac536822fd7043c38e66d0ec8

SHA1
c8908477b539931168e9437d4e17e7c33fb10141

SHA256
542075ba11aaa6c1961985818dc4bb9e1a13afffeaef3514389444db18938fb4

SHA512
20210b8dd54b7ca527e69699ae02d6b1c1733e8e3c8ae797994d24b2134e91d4dbc8345b9a4757ded6a34f460d9ec88b1c133202718e342c9045c77de2bd784d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv_w32.dll

Filesize
66KB

MD5
55b4875e6dd84b1a547a91a789515dfb

SHA1
ad598670ced636134f85c744f6283a16e3766d1f

SHA256
a0791b2f732fdd0c26483d9ef2d77e720d9ba267f887eccadff227bcf247a0a9

SHA512
d9dc737c25a56503bba8f3a2fa030c3dc1fe62f4313cb307203cdcac164fd6bb2fa2ab87be6806d4cf3d1ed1ec880a1c7f3d866e61c3a6005ca400ff9f99459a

Download Submit
memory/4284-7-0x0000000075330000-0x0000000075331000-memory.dmp

Filesize
4KB

Download
memory/4284-10-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4284-16-0x0000000075310000-0x0000000075400000-memory.dmp

Filesize
960KB

Download
memory/4284-6-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4284-22-0x0000000075310000-0x0000000075400000-memory.dmp

Filesize
960KB

Download
memory/4284-1-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4284-0-0x0000000074A00000-0x0000000074A16000-memory.dmp

Filesize
88KB

Download
memory/4284-33-0x0000000004D90000-0x0000000004DB7000-memory.dmp

Filesize
156KB

Download
memory/4284-37-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4284-38-0x0000000075310000-0x0000000075400000-memory.dmp

Filesize
960KB

Download
memory/4284-39-0x0000000075310000-0x0000000075400000-memory.dmp

Filesize
960KB

Download