0e6d0b320bafe07d030b4be7f049daf9ba870f3a29bdab116a02f1de7677adeb

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82b7a04e06de0dd5b20c7cc333df8010N.exe
Size

159KB
MD5

82b7a04e06de0dd5b20c7cc333df8010
SHA1

1133763a625ce6690ad5b0042b48688a9bcfd376
SHA256

0e6d0b320bafe07d030b4be7f049daf9ba870f3a29bdab116a02f1de7677adeb
SHA512

d3855d6ae90eb5b32d2b513b9bdf555b7893046bcd5c35ea2eab71ca5849ff10f401bd54ec15190b82d01fb6f7595ac4bd7ef4a2103c6fbff44eb3ac9512d4e9
SSDEEP

3072:th85+KsltciZzA10H38CXPdePLQDvp44gk513K+LLZ+asmvNhErCwpoCrTBgGCBk:thw+7TpZ73nVwyuDmVLZVUPoogi

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1224	8Rk1KlUmAJjEl7z.exe
2360	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2144	82b7a04e06de0dd5b20c7cc333df8010N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	82b7a04e06de0dd5b20c7cc333df8010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	82b7a04e06de0dd5b20c7cc333df8010N.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe
Token: SeDebugPrivilege	2360	svhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1224	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	28
PID 2144 wrote to memory of 1224	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	28
PID 2144 wrote to memory of 1224	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	28
PID 2144 wrote to memory of 1224	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	28
PID 2144 wrote to memory of 2360	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	30
PID 2144 wrote to memory of 2360	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	30
PID 2144 wrote to memory of 2360	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	30
PID 2144 wrote to memory of 2360	2144	82b7a04e06de0dd5b20c7cc333df8010N.exe	30

C:\Users\Admin\AppData\Local\Temp\82b7a04e06de0dd5b20c7cc333df8010N.exe
"C:\Users\Admin\AppData\Local\Temp\82b7a04e06de0dd5b20c7cc333df8010N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\8Rk1KlUmAJjEl7z.exe
  C:\Users\Admin\AppData\Local\Temp\8Rk1KlUmAJjEl7z.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RequestWrite.exe

Filesize
440KB

MD5
67f5938503b04cabd2bbcba5b80ca993

SHA1
b03513494232351aa2e13419ac999caf617865e5

SHA256
1971cf5f10063a2f1223be7860af85a4d92695ed6f95097e05b4693cc72bdb5e

SHA512
771813a88631b121f6301171f7a0981dfdc8ce5d3c44d88ee6d118f8437e83ff24c91939b39193189d9c282273a91ecc4a49c53f609cd55792628aacc7fd0077

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
76fd02b48297edb28940bdfa3fa1c48a

SHA1
bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

SHA256
07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

SHA512
28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

Download Submit
\Users\Admin\AppData\Local\Temp\8Rk1KlUmAJjEl7z.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
memory/1224-10-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1224-11-0x00000000010B0000-0x00000000010D8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads