cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29

Analysis

max time kernel
140s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe
Size

17KB
MD5

1dea835620e02f77feabddce6e420ad8
SHA1

a2fe9faa3bf87020916dedf40c44792d9f3c0e92
SHA256

cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29
SHA512

61e7bebbe39cba48fdb4a70c8c512877901a848289c1147388d64082f32a68cf4c983c6e37ad0d7e2488ae4afbbcc8b67b5d67a99dac728dd2c7d1b173cb4235
SSDEEP

384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/AvJb:ljjAQ+BzWPEwnE+KHM2/Q9

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
976	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe
File created	C:\Windows\svhost.exe	svhost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe
Token: SeDebugPrivilege	976	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 976	1852	cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe	93
PID 1852 wrote to memory of 976	1852	cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe	93
PID 1852 wrote to memory of 976	1852	cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe	93

C:\Users\Admin\AppData\Local\Temp\cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe
"C:\Users\Admin\AppData\Local\Temp\cef8e90d5a15590821cc253a0cbd4bddd97399bfe5b7bb8b7603e8de24691c29.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\svhost.exe
  "C:\Windows\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2820,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
339KB

MD5
1d58d3df0d1a7381ae2e3b34c0d1e80b

SHA1
25a833ee21f11067c2aef38f17762f074014271a

SHA256
6bca369464f7342779f811803a7ee401979a4a5cc5ec590215f1387ab1f3e0b8

SHA512
93194220a81bc3ebf17fc88e97d60dc715324f7629254f9027fb0ac9d87950e99ae27ec4938bcb35084f9e3e1c22d634bda8f84a92610dfce35c9619ed05cf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3wpy3nYMpE4WQ2.exe

Filesize
17KB

MD5
5e4cdb4360ad20b7dc572c32d5cf0f14

SHA1
e50b04f8287057be61fd8599c42c8e48d521d316

SHA256
2d725ee6356d97134ce32e681873c470d0574f054014a6fc4c94aef0f4c4445e

SHA512
5ae823a838c4d21b6138e385f4b3430f9e523a4421291e4e35506c75c2575cd60d7613e778c81a99fcdcb13d0e38fb9e99bdef98f8f12b13406a5f0fb1df80f1

Download Submit
C:\Windows\svhost.exe

Filesize
16KB

MD5
5e7c375139b7453abd0b91a8a220f8e5

SHA1
88a3d645fab0f4129c1e485c90b593ab60e469ae

SHA256
36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

SHA512
0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads