0e6d0b320bafe07d030b4be7f049daf9ba870f3a29bdab116a02f1de7677adeb

Analysis

max time kernel
104s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82b7a04e06de0dd5b20c7cc333df8010N.exe
Size

159KB
MD5

82b7a04e06de0dd5b20c7cc333df8010
SHA1

1133763a625ce6690ad5b0042b48688a9bcfd376
SHA256

0e6d0b320bafe07d030b4be7f049daf9ba870f3a29bdab116a02f1de7677adeb
SHA512

d3855d6ae90eb5b32d2b513b9bdf555b7893046bcd5c35ea2eab71ca5849ff10f401bd54ec15190b82d01fb6f7595ac4bd7ef4a2103c6fbff44eb3ac9512d4e9
SSDEEP

3072:th85+KsltciZzA10H38CXPdePLQDvp44gk513K+LLZ+asmvNhErCwpoCrTBgGCBk:thw+7TpZ73nVwyuDmVLZVUPoogi

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4528	tlDD8w1PiOBC1Y4.exe
2996	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	82b7a04e06de0dd5b20c7cc333df8010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	82b7a04e06de0dd5b20c7cc333df8010N.exe
File created	C:\Windows\svhost.exe	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	82b7a04e06de0dd5b20c7cc333df8010N.exe
Token: SeDebugPrivilege	2996	svhost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4528	2208	82b7a04e06de0dd5b20c7cc333df8010N.exe	84
PID 2208 wrote to memory of 4528	2208	82b7a04e06de0dd5b20c7cc333df8010N.exe	84
PID 2208 wrote to memory of 2996	2208	82b7a04e06de0dd5b20c7cc333df8010N.exe	86
PID 2208 wrote to memory of 2996	2208	82b7a04e06de0dd5b20c7cc333df8010N.exe	86
PID 2208 wrote to memory of 2996	2208	82b7a04e06de0dd5b20c7cc333df8010N.exe	86

C:\Users\Admin\AppData\Local\Temp\82b7a04e06de0dd5b20c7cc333df8010N.exe
"C:\Users\Admin\AppData\Local\Temp\82b7a04e06de0dd5b20c7cc333df8010N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\tlDD8w1PiOBC1Y4.exe
  C:\Users\Admin\AppData\Local\Temp\tlDD8w1PiOBC1Y4.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
339KB

MD5
0305dae117c3643efafc381c8a62071e

SHA1
eb10b7743ec15a86ed9958c8b415124230da9558

SHA256
c34013cc0256d581071493a8e81ddc4b8678b701256adcd1f36f72a2de4613cb

SHA512
f39fc63f862b12608dabbac64c39c8ed1e564d980560e6c4f879fe095e86e95a1de58c4a6089fe4673bbfaa178be1d6e7e415a6dfcd37950069fb469e6f75572

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlDD8w1PiOBC1Y4.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
76fd02b48297edb28940bdfa3fa1c48a

SHA1
bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

SHA256
07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

SHA512
28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

Download Submit
memory/4528-8-0x00007FFDB5E43000-0x00007FFDB5E45000-memory.dmp

Filesize
8KB

Download
memory/4528-10-0x0000000000B00000-0x0000000000B28000-memory.dmp

Filesize
160KB

Download
memory/4528-24-0x00007FFDB5E40000-0x00007FFDB6901000-memory.dmp

Filesize
10.8MB

Download
memory/4528-32-0x00007FFDB5E40000-0x00007FFDB6901000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads