Analysis
-
max time kernel
9s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-08-2021 06:08
Static task
static1
Behavioral task
behavioral1
Sample
scvhost.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
scvhost.exe
Resource
win10v20210410
General
-
Target
scvhost.exe
-
Size
398KB
-
MD5
6d48770e0812501ee714453e729d4936
-
SHA1
b5852d71c699358a00ff3d6034fab1bddb396647
-
SHA256
cc9edc887142fc50112db7bad99afc39518c2e132413b1d0a548fc1f267ea628
-
SHA512
65e62eb4a5aff5792fd6cbf44ee1a3bd0fe36cb69ae341fa6c4fc45847c5623b9a7446c98ef775234bd43b39a15e3fe1c6af775158e7e2047261670292e7824f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
scvhost.exepid process 1696 scvhost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\scvhost.exe upx \Users\Admin\AppData\Roaming\scvhost.exe upx \Users\Admin\AppData\Roaming\scvhost.exe upx \Users\Admin\AppData\Roaming\scvhost.exe upx \Users\Admin\AppData\Roaming\scvhost.exe upx C:\Users\Admin\AppData\Roaming\scvhost.exe upx -
Loads dropped DLL 4 IoCs
Processes:
scvhost.exepid process 1768 scvhost.exe 1768 scvhost.exe 1768 scvhost.exe 1768 scvhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
scvhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run scvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe" scvhost.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
scvhost.exescvhost.exedescription ioc process File opened (read-only) \??\j: scvhost.exe File opened (read-only) \??\o: scvhost.exe File opened (read-only) \??\t: scvhost.exe File opened (read-only) \??\u: scvhost.exe File opened (read-only) \??\t: scvhost.exe File opened (read-only) \??\x: scvhost.exe File opened (read-only) \??\j: scvhost.exe File opened (read-only) \??\f: scvhost.exe File opened (read-only) \??\h: scvhost.exe File opened (read-only) \??\n: scvhost.exe File opened (read-only) \??\p: scvhost.exe File opened (read-only) \??\w: scvhost.exe File opened (read-only) \??\b: scvhost.exe File opened (read-only) \??\g: scvhost.exe File opened (read-only) \??\g: scvhost.exe File opened (read-only) \??\z: scvhost.exe File opened (read-only) \??\h: scvhost.exe File opened (read-only) \??\q: scvhost.exe File opened (read-only) \??\u: scvhost.exe File opened (read-only) \??\y: scvhost.exe File opened (read-only) \??\e: scvhost.exe File opened (read-only) \??\i: scvhost.exe File opened (read-only) \??\a: scvhost.exe File opened (read-only) \??\b: scvhost.exe File opened (read-only) \??\l: scvhost.exe File opened (read-only) \??\r: scvhost.exe File opened (read-only) \??\s: scvhost.exe File opened (read-only) \??\w: scvhost.exe File opened (read-only) \??\y: scvhost.exe File opened (read-only) \??\m: scvhost.exe File opened (read-only) \??\a: scvhost.exe File opened (read-only) \??\p: scvhost.exe File opened (read-only) \??\s: scvhost.exe File opened (read-only) \??\z: scvhost.exe File opened (read-only) \??\v: scvhost.exe File opened (read-only) \??\x: scvhost.exe File opened (read-only) \??\l: scvhost.exe File opened (read-only) \??\m: scvhost.exe File opened (read-only) \??\n: scvhost.exe File opened (read-only) \??\r: scvhost.exe File opened (read-only) \??\v: scvhost.exe File opened (read-only) \??\e: scvhost.exe File opened (read-only) \??\i: scvhost.exe File opened (read-only) \??\k: scvhost.exe File opened (read-only) \??\q: scvhost.exe File opened (read-only) \??\f: scvhost.exe File opened (read-only) \??\k: scvhost.exe File opened (read-only) \??\o: scvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
scvhost.exepid process 1696 scvhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
scvhost.exedescription pid process target process PID 1768 wrote to memory of 300 1768 scvhost.exe cmd.exe PID 1768 wrote to memory of 300 1768 scvhost.exe cmd.exe PID 1768 wrote to memory of 300 1768 scvhost.exe cmd.exe PID 1768 wrote to memory of 300 1768 scvhost.exe cmd.exe PID 1768 wrote to memory of 1696 1768 scvhost.exe scvhost.exe PID 1768 wrote to memory of 1696 1768 scvhost.exe scvhost.exe PID 1768 wrote to memory of 1696 1768 scvhost.exe scvhost.exe PID 1768 wrote to memory of 1696 1768 scvhost.exe scvhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\scvhost.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo. > "C:\Users\Admin\AppData\Roaming\scvhost.exe":Zone.Identifier2⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\scvhost.exe"C:\Users\Admin\AppData\Roaming\scvhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\scvhost.exeMD5
6d48770e0812501ee714453e729d4936
SHA1b5852d71c699358a00ff3d6034fab1bddb396647
SHA256cc9edc887142fc50112db7bad99afc39518c2e132413b1d0a548fc1f267ea628
SHA51265e62eb4a5aff5792fd6cbf44ee1a3bd0fe36cb69ae341fa6c4fc45847c5623b9a7446c98ef775234bd43b39a15e3fe1c6af775158e7e2047261670292e7824f
-
C:\Users\Admin\AppData\Roaming\scvhost.exeMD5
6d48770e0812501ee714453e729d4936
SHA1b5852d71c699358a00ff3d6034fab1bddb396647
SHA256cc9edc887142fc50112db7bad99afc39518c2e132413b1d0a548fc1f267ea628
SHA51265e62eb4a5aff5792fd6cbf44ee1a3bd0fe36cb69ae341fa6c4fc45847c5623b9a7446c98ef775234bd43b39a15e3fe1c6af775158e7e2047261670292e7824f
-
C:\Users\Admin\AppData\Roaming\scvhost.exe:Zone.IdentifierMD5
bc949ea893a9384070c31f083ccefd26
SHA1cbb8391cb65c20e2c05a2f29211e55c49939c3db
SHA2566bdf66b5bf2a44e658bea2ee86695ab150a06e600bf67cd5cce245ad54962c61
SHA512e4288e71070485637ec5825f510a7daa7e75ef6c71a1b755f51e1b0f2e58e5066837f58408ea74d75db42c49372c6027d433a869904fc5efaf4876dfcfde1287
-
\Users\Admin\AppData\Roaming\scvhost.exeMD5
6d48770e0812501ee714453e729d4936
SHA1b5852d71c699358a00ff3d6034fab1bddb396647
SHA256cc9edc887142fc50112db7bad99afc39518c2e132413b1d0a548fc1f267ea628
SHA51265e62eb4a5aff5792fd6cbf44ee1a3bd0fe36cb69ae341fa6c4fc45847c5623b9a7446c98ef775234bd43b39a15e3fe1c6af775158e7e2047261670292e7824f
-
\Users\Admin\AppData\Roaming\scvhost.exeMD5
6d48770e0812501ee714453e729d4936
SHA1b5852d71c699358a00ff3d6034fab1bddb396647
SHA256cc9edc887142fc50112db7bad99afc39518c2e132413b1d0a548fc1f267ea628
SHA51265e62eb4a5aff5792fd6cbf44ee1a3bd0fe36cb69ae341fa6c4fc45847c5623b9a7446c98ef775234bd43b39a15e3fe1c6af775158e7e2047261670292e7824f
-
\Users\Admin\AppData\Roaming\scvhost.exeMD5
6d48770e0812501ee714453e729d4936
SHA1b5852d71c699358a00ff3d6034fab1bddb396647
SHA256cc9edc887142fc50112db7bad99afc39518c2e132413b1d0a548fc1f267ea628
SHA51265e62eb4a5aff5792fd6cbf44ee1a3bd0fe36cb69ae341fa6c4fc45847c5623b9a7446c98ef775234bd43b39a15e3fe1c6af775158e7e2047261670292e7824f
-
\Users\Admin\AppData\Roaming\scvhost.exeMD5
6d48770e0812501ee714453e729d4936
SHA1b5852d71c699358a00ff3d6034fab1bddb396647
SHA256cc9edc887142fc50112db7bad99afc39518c2e132413b1d0a548fc1f267ea628
SHA51265e62eb4a5aff5792fd6cbf44ee1a3bd0fe36cb69ae341fa6c4fc45847c5623b9a7446c98ef775234bd43b39a15e3fe1c6af775158e7e2047261670292e7824f
-
memory/300-61-0x0000000000000000-mapping.dmp
-
memory/1696-68-0x0000000000000000-mapping.dmp
-
memory/1768-60-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB