Overview
overview
10Static
static
3svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows11_x64
10svchost.bin.exe
windows10_x64
9svchost.bin.exe
windows10_x64
svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10Analysis
-
max time kernel
1602s -
max time network
1758s -
platform
windows10_x64 -
resource
win10-en -
submitted
04-09-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
svchost.bin.exe
Resource
win7-jp
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svchost.bin.exe
Resource
win7-fr
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
svchost.bin.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
svchost.bin.exe
Resource
win7-de
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
svchost.bin.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
svchost.bin.exe
Resource
win10-jp
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
svchost.bin.exe
Resource
win10-fr
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
svchost.bin.exe
Resource
win10-de
windows10_x64
0 signatures
0 seconds
General
-
Target
svchost.bin.exe
-
Size
6.6MB
-
MD5
2787bb2d1ab223f8ac2692f3a8fd85fc
-
SHA1
dc34ee4e46ddea333cdc90e4aad7589cb8ee1ea0
-
SHA256
952e3e059251cd41e3c67006c5aa4b75fe3e6b0f18d96554b2d60d4ccfb78cb4
-
SHA512
d79bd7599ccb09fa72b939a506d04e28cb958e59c3987ab4d375e76337d5b1e33369d59397338aaeaf938c14ec9d93b20501d5224d151631c69c874d0657e9f3
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Loads dropped DLL 29 IoCs
pid Process 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe 3492 svchost.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2212 832 WerFault.exe 89 -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 3800 ipconfig.exe 2752 ipconfig.exe 3172 netstat.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 832 powershell.exe 832 powershell.exe 832 powershell.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 3492 svchost.bin.exe 3492 svchost.bin.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4428 WMIC.exe Token: SeSecurityPrivilege 4428 WMIC.exe Token: SeTakeOwnershipPrivilege 4428 WMIC.exe Token: SeLoadDriverPrivilege 4428 WMIC.exe Token: SeSystemProfilePrivilege 4428 WMIC.exe Token: SeSystemtimePrivilege 4428 WMIC.exe Token: SeProfSingleProcessPrivilege 4428 WMIC.exe Token: SeIncBasePriorityPrivilege 4428 WMIC.exe Token: SeCreatePagefilePrivilege 4428 WMIC.exe Token: SeBackupPrivilege 4428 WMIC.exe Token: SeRestorePrivilege 4428 WMIC.exe Token: SeShutdownPrivilege 4428 WMIC.exe Token: SeDebugPrivilege 4428 WMIC.exe Token: SeSystemEnvironmentPrivilege 4428 WMIC.exe Token: SeRemoteShutdownPrivilege 4428 WMIC.exe Token: SeUndockPrivilege 4428 WMIC.exe Token: SeManageVolumePrivilege 4428 WMIC.exe Token: 33 4428 WMIC.exe Token: 34 4428 WMIC.exe Token: 35 4428 WMIC.exe Token: 36 4428 WMIC.exe Token: SeIncreaseQuotaPrivilege 4428 WMIC.exe Token: SeSecurityPrivilege 4428 WMIC.exe Token: SeTakeOwnershipPrivilege 4428 WMIC.exe Token: SeLoadDriverPrivilege 4428 WMIC.exe Token: SeSystemProfilePrivilege 4428 WMIC.exe Token: SeSystemtimePrivilege 4428 WMIC.exe Token: SeProfSingleProcessPrivilege 4428 WMIC.exe Token: SeIncBasePriorityPrivilege 4428 WMIC.exe Token: SeCreatePagefilePrivilege 4428 WMIC.exe Token: SeBackupPrivilege 4428 WMIC.exe Token: SeRestorePrivilege 4428 WMIC.exe Token: SeShutdownPrivilege 4428 WMIC.exe Token: SeDebugPrivilege 4428 WMIC.exe Token: SeSystemEnvironmentPrivilege 4428 WMIC.exe Token: SeRemoteShutdownPrivilege 4428 WMIC.exe Token: SeUndockPrivilege 4428 WMIC.exe Token: SeManageVolumePrivilege 4428 WMIC.exe Token: 33 4428 WMIC.exe Token: 34 4428 WMIC.exe Token: 35 4428 WMIC.exe Token: 36 4428 WMIC.exe Token: SeDebugPrivilege 832 powershell.exe Token: SeDebugPrivilege 2212 WerFault.exe Token: SeDebugPrivilege 3172 netstat.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4728 wrote to memory of 3492 4728 svchost.bin.exe 76 PID 4728 wrote to memory of 3492 4728 svchost.bin.exe 76 PID 4728 wrote to memory of 3492 4728 svchost.bin.exe 76 PID 3492 wrote to memory of 632 3492 svchost.bin.exe 78 PID 3492 wrote to memory of 632 3492 svchost.bin.exe 78 PID 3492 wrote to memory of 632 3492 svchost.bin.exe 78 PID 632 wrote to memory of 4428 632 cmd.exe 79 PID 632 wrote to memory of 4428 632 cmd.exe 79 PID 632 wrote to memory of 4428 632 cmd.exe 79 PID 3492 wrote to memory of 4608 3492 svchost.bin.exe 82 PID 3492 wrote to memory of 4608 3492 svchost.bin.exe 82 PID 3492 wrote to memory of 4608 3492 svchost.bin.exe 82 PID 4608 wrote to memory of 4612 4608 cmd.exe 83 PID 4608 wrote to memory of 4612 4608 cmd.exe 83 PID 4608 wrote to memory of 4612 4608 cmd.exe 83 PID 4612 wrote to memory of 4604 4612 net.exe 84 PID 4612 wrote to memory of 4604 4612 net.exe 84 PID 4612 wrote to memory of 4604 4612 net.exe 84 PID 3492 wrote to memory of 2456 3492 svchost.bin.exe 85 PID 3492 wrote to memory of 2456 3492 svchost.bin.exe 85 PID 3492 wrote to memory of 2456 3492 svchost.bin.exe 85 PID 2456 wrote to memory of 4144 2456 cmd.exe 86 PID 2456 wrote to memory of 4144 2456 cmd.exe 86 PID 2456 wrote to memory of 4144 2456 cmd.exe 86 PID 4144 wrote to memory of 528 4144 net.exe 87 PID 4144 wrote to memory of 528 4144 net.exe 87 PID 4144 wrote to memory of 528 4144 net.exe 87 PID 3492 wrote to memory of 832 3492 svchost.bin.exe 89 PID 3492 wrote to memory of 832 3492 svchost.bin.exe 89 PID 3492 wrote to memory of 1320 3492 svchost.bin.exe 92 PID 3492 wrote to memory of 1320 3492 svchost.bin.exe 92 PID 3492 wrote to memory of 1320 3492 svchost.bin.exe 92 PID 1320 wrote to memory of 3800 1320 cmd.exe 93 PID 1320 wrote to memory of 3800 1320 cmd.exe 93 PID 1320 wrote to memory of 3800 1320 cmd.exe 93 PID 3492 wrote to memory of 2752 3492 svchost.bin.exe 94 PID 3492 wrote to memory of 2752 3492 svchost.bin.exe 94 PID 3492 wrote to memory of 2752 3492 svchost.bin.exe 94 PID 3492 wrote to memory of 3172 3492 svchost.bin.exe 95 PID 3492 wrote to memory of 3172 3492 svchost.bin.exe 95 PID 3492 wrote to memory of 3172 3492 svchost.bin.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\cmd.execmd /c wmic ntdomain get domainname3⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ntdomain get domainname4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:4604
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net group "domain admins" /domain3⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵PID:528
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 832 -s 19324⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:3800
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2752
-
-
C:\Windows\SysWOW64\netstat.exenetstat -na3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-