24b18d92bcc1b63ca97e061acea2753d8f04b3f9e277fa4f02b10c549781e7f8

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4abe9835736536c1cefa4e1d2d1276b0.exe
Size

16KB
MD5

4abe9835736536c1cefa4e1d2d1276b0
SHA1

717bbbf073a2db4e676d08eece54ca9d2d989b7e
SHA256

24b18d92bcc1b63ca97e061acea2753d8f04b3f9e277fa4f02b10c549781e7f8
SHA512

4d8e6650c2115b240bc14606d787d8c4ad9444b94bf5fce6febc2b26109d4f2621df3bc69ea5f02c961353c570c7444ce572c268284742e4628df3c3c89d70e3
SSDEEP

192:nx+uPBkqyIfgm64++u6gzYMzZ0dqsEq65+O0I5L0pJ/WDvd0EtITbKH62RTs2/fD:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3164	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	4abe9835736536c1cefa4e1d2d1276b0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	4abe9835736536c1cefa4e1d2d1276b0.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	4abe9835736536c1cefa4e1d2d1276b0.exe
Token: SeDebugPrivilege	3164	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3164	2092	4abe9835736536c1cefa4e1d2d1276b0.exe	84
PID 2092 wrote to memory of 3164	2092	4abe9835736536c1cefa4e1d2d1276b0.exe	84
PID 2092 wrote to memory of 3164	2092	4abe9835736536c1cefa4e1d2d1276b0.exe	84

C:\Users\Admin\AppData\Local\Temp\4abe9835736536c1cefa4e1d2d1276b0.exe
"C:\Users\Admin\AppData\Local\Temp\4abe9835736536c1cefa4e1d2d1276b0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
338KB

MD5
cf10a4141122ef238551005a53067603

SHA1
39ea5be24c760706d7b8c37c65c8277374fe04a9

SHA256
d4f5fd43c9f60ec12343de00082b413d9643bddf718b1917d522c808d0a58f7a

SHA512
8f11764f3e6913b17befc84dc9eb7c8880a2d1805c4c100a2ba417c026fe74bdb7845bad08e0830fb025373158eeeea4da50fdcabda7fac95fcf7d45ad568b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhsTOer9JghUVtZ.exe

Filesize
16KB

MD5
d091ca37c075cfab4a48b4ea1df285a4

SHA1
3c07706da557845bc152c44a64976225dc49052e

SHA256
f1f37a2987069c289131c1d84dc6a845e36d4a00dedfe3eba2e0d6bb2b8c9986

SHA512
2c4b4baa1239a5e3a876345a850bcc7aa6b2c87a92f729fa1c17fcff011a51aeaacd00b086ae02420ffee5aa97230e47ec6e6f5bafb0bc53be0c5f5d3f7e666b

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
76fd02b48297edb28940bdfa3fa1c48a

SHA1
bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

SHA256
07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

SHA512
28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads