Analysis
-
max time kernel
109s -
max time network
111s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-10-2021 18:44
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe_.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
svchost.exe_.exe
Resource
win10-en-20210920
General
-
Target
svchost.exe_.exe
-
Size
2.8MB
-
MD5
9f3b563a15c52fc14740c08c02072953
-
SHA1
0e0fcb44567c9ef2ce82a1e00e734e1cad402372
-
SHA256
b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb
-
SHA512
2224565155f127cb7353e1be06dbb47db74ed0c4bde989f2746470c9385558439299acfaa1375ee19adbec2ae0686c79ff7b30c580823bae3c2057fb7580038d
Malware Config
Signatures
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/856-88-0x0000000000080000-0x000000000008F000-memory.dmp family_vkeylogger behavioral1/memory/456-94-0x00000000000C0000-0x00000000000CF000-memory.dmp family_vkeylogger -
Executes dropped EXE 3 IoCs
Processes:
dllhost.comdllhost.comdllhost.compid process 1968 dllhost.com 1732 dllhost.com 856 dllhost.com -
Deletes itself 1 IoCs
Processes:
dllhost.compid process 1732 dllhost.com -
Loads dropped DLL 3 IoCs
Processes:
cmd.exedllhost.comdllhost.compid process 1996 cmd.exe 1968 dllhost.com 1732 dllhost.com -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exe_.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" svchost.exe_.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsStartmemt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\dllhost.com" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Santa = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
dllhost.comdllhost.comdescription pid process target process PID 1732 set thread context of 856 1732 dllhost.com dllhost.com PID 856 set thread context of 456 856 dllhost.com explorer.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
dllhost.compid process 1732 dllhost.com 1732 dllhost.com 1732 dllhost.com 1732 dllhost.com 1732 dllhost.com 1732 dllhost.com 1732 dllhost.com 1732 dllhost.com 1732 dllhost.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
dllhost.comexplorer.exepid process 856 dllhost.com 456 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 1156 tasklist.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
explorer.exepid process 456 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 456 explorer.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
svchost.exe_.execmd.execmd.exedllhost.comdllhost.comdllhost.comdescription pid process target process PID 1028 wrote to memory of 880 1028 svchost.exe_.exe cmd.exe PID 1028 wrote to memory of 880 1028 svchost.exe_.exe cmd.exe PID 1028 wrote to memory of 880 1028 svchost.exe_.exe cmd.exe PID 1028 wrote to memory of 880 1028 svchost.exe_.exe cmd.exe PID 1028 wrote to memory of 1612 1028 svchost.exe_.exe cmd.exe PID 1028 wrote to memory of 1612 1028 svchost.exe_.exe cmd.exe PID 1028 wrote to memory of 1612 1028 svchost.exe_.exe cmd.exe PID 1028 wrote to memory of 1612 1028 svchost.exe_.exe cmd.exe PID 1612 wrote to memory of 1808 1612 cmd.exe certutil.exe PID 1612 wrote to memory of 1808 1612 cmd.exe certutil.exe PID 1612 wrote to memory of 1808 1612 cmd.exe certutil.exe PID 1612 wrote to memory of 1808 1612 cmd.exe certutil.exe PID 1612 wrote to memory of 1996 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 1996 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 1996 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 1996 1612 cmd.exe cmd.exe PID 1996 wrote to memory of 1156 1996 cmd.exe tasklist.exe PID 1996 wrote to memory of 1156 1996 cmd.exe tasklist.exe PID 1996 wrote to memory of 1156 1996 cmd.exe tasklist.exe PID 1996 wrote to memory of 1156 1996 cmd.exe tasklist.exe PID 1996 wrote to memory of 2024 1996 cmd.exe find.exe PID 1996 wrote to memory of 2024 1996 cmd.exe find.exe PID 1996 wrote to memory of 2024 1996 cmd.exe find.exe PID 1996 wrote to memory of 2024 1996 cmd.exe find.exe PID 1996 wrote to memory of 1992 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1992 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1992 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1992 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1980 1996 cmd.exe certutil.exe PID 1996 wrote to memory of 1980 1996 cmd.exe certutil.exe PID 1996 wrote to memory of 1980 1996 cmd.exe certutil.exe PID 1996 wrote to memory of 1980 1996 cmd.exe certutil.exe PID 1996 wrote to memory of 1968 1996 cmd.exe dllhost.com PID 1996 wrote to memory of 1968 1996 cmd.exe dllhost.com PID 1996 wrote to memory of 1968 1996 cmd.exe dllhost.com PID 1996 wrote to memory of 1968 1996 cmd.exe dllhost.com PID 1996 wrote to memory of 1284 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1284 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1284 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1284 1996 cmd.exe PING.EXE PID 1968 wrote to memory of 1732 1968 dllhost.com dllhost.com PID 1968 wrote to memory of 1732 1968 dllhost.com dllhost.com PID 1968 wrote to memory of 1732 1968 dllhost.com dllhost.com PID 1968 wrote to memory of 1732 1968 dllhost.com dllhost.com PID 1732 wrote to memory of 856 1732 dllhost.com dllhost.com PID 1732 wrote to memory of 856 1732 dllhost.com dllhost.com PID 1732 wrote to memory of 856 1732 dllhost.com dllhost.com PID 1732 wrote to memory of 856 1732 dllhost.com dllhost.com PID 1732 wrote to memory of 856 1732 dllhost.com dllhost.com PID 1732 wrote to memory of 856 1732 dllhost.com dllhost.com PID 856 wrote to memory of 456 856 dllhost.com explorer.exe PID 856 wrote to memory of 456 856 dllhost.com explorer.exe PID 856 wrote to memory of 456 856 dllhost.com explorer.exe PID 856 wrote to memory of 456 856 dllhost.com explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe_.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe_.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c QxfDpS2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode 85-32 50-91 & cmd < 50-912⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode 85-32 50-913⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq srvpost.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "srvpost.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 1 zpbTWPYwB.zpbTWPYwB4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\certutil.execertutil -decode 3-31 T4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comdllhost.com T4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com T5⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"7⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3-31MD5
86bc1d0fbee53b193deb1f2e471ebc9f
SHA177cf011c0a89a8b663d9862ba29fbd41cbe97f16
SHA256653fbda407adeb1016be457df92742510473c42dc7a586b8064b6187d7baac9c
SHA512d2fa7f74388157bc2901418af9bfa884eda31bd48da99133f1c50817df3733ec89e02a05e3f1c16db45f8bd99cbb286fe17d698adebbb74225904377d62f3eee
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\50-91MD5
2ff1c52353b2985dcac4364cdc3914ad
SHA192f4349bb063da88b05d56a204af88e48f8242a9
SHA256f5e645a7166a5feb796475fdd85459dc8ef6f683868e258b848a670cd7093eab
SHA512f03e21f251277740c1ca963831d4c97d652d6c768a8c83c45229deb477e74f04778c26af04737ae19c73bbbde2279f4e805b46c6bad128849d779daa6a59267c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\59-97MD5
7b573c98b3fd01b8dc83da2710f9ef53
SHA19dc46d49571ffa5fb70c87ac2aef11b4030146e3
SHA256dce1ce863077bd13852703df55c9185fa27bdd7defa9dce9a810ddf3c7751c64
SHA512140dfabdbe289ee6df5319a73e94c44e96f5a4aff07cb173a45bfe3466c1f26503c3aa5f23e8999a123673c893563177d1e8247d69b4b2fad3c672052cabb17b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7-7MD5
dc62bb2dac17453dd9356923780c0115
SHA1dc1ba5eab540eed3d1020b81fc19aebc31a3b040
SHA256d6330ace7072197e4c71e574bf9dcae932f9b65e452d5814a02b8ed55d9206e5
SHA51287042702b8d4e22c8a362bc637aea944b7a45b947656ba295ff381517be58f9e04348b77ff797ae0f9bbda8bfd958879f65535d75a276dd0a20495af12a351e5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\85-32MD5
36ffffbb2dcbacac1ce1f666b6dc46be
SHA1ca7f1d4d489dfab21fb9b926601b66a5f5b05dcc
SHA2561dd59f2a8795aab941c2195be74ed9c91b9a2e182db92cdf95479e504d2be7d5
SHA5122072f94e5ee8234fb4e75a5c4742a8bcf74de34de93c30dacb74fd6b44baaecad45b90c6394171cae3158db86f479bf1ce92e4de35e8c35e62441e27fbf11901
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TMD5
13bf07e459a6f2e594da96834a5bccd4
SHA1d52c69844327c3a11fe51c2c682f428a4e526c9b
SHA256673b801bad16732e02e91ced7867f6fc4c26b113539800c69fcd2af846710214
SHA512edf3eaa1c4bf00a61a5f745036321d45a4440b2057129f6a452b11de761c43d9ca9505e779a91dff5cab4f86b98886f4b7c1a809512891c9039da02805eeef43
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comMD5
6044ba604bb80aa7d9ad6dbfd9cadaca
SHA18cc61cc5c9e5c1d038cee584bb61078fec757ada
SHA2569e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0
SHA512ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comMD5
6044ba604bb80aa7d9ad6dbfd9cadaca
SHA18cc61cc5c9e5c1d038cee584bb61078fec757ada
SHA2569e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0
SHA512ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comMD5
6044ba604bb80aa7d9ad6dbfd9cadaca
SHA18cc61cc5c9e5c1d038cee584bb61078fec757ada
SHA2569e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0
SHA512ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comMD5
6044ba604bb80aa7d9ad6dbfd9cadaca
SHA18cc61cc5c9e5c1d038cee584bb61078fec757ada
SHA2569e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0
SHA512ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comMD5
6044ba604bb80aa7d9ad6dbfd9cadaca
SHA18cc61cc5c9e5c1d038cee584bb61078fec757ada
SHA2569e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0
SHA512ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comMD5
6044ba604bb80aa7d9ad6dbfd9cadaca
SHA18cc61cc5c9e5c1d038cee584bb61078fec757ada
SHA2569e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0
SHA512ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.comMD5
6044ba604bb80aa7d9ad6dbfd9cadaca
SHA18cc61cc5c9e5c1d038cee584bb61078fec757ada
SHA2569e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0
SHA512ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d
-
memory/456-93-0x0000000074EA1000-0x0000000074EA3000-memory.dmpFilesize
8KB
-
memory/456-94-0x00000000000C0000-0x00000000000CF000-memory.dmpFilesize
60KB
-
memory/456-91-0x00000000000C2E90-mapping.dmp
-
memory/856-88-0x0000000000080000-0x000000000008F000-memory.dmpFilesize
60KB
-
memory/880-60-0x0000000000000000-mapping.dmp
-
memory/1156-67-0x0000000000000000-mapping.dmp
-
memory/1284-77-0x0000000000000000-mapping.dmp
-
memory/1612-61-0x0000000000000000-mapping.dmp
-
memory/1732-82-0x0000000000000000-mapping.dmp
-
memory/1732-87-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1808-63-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1808-62-0x0000000000000000-mapping.dmp
-
memory/1968-75-0x0000000000000000-mapping.dmp
-
memory/1980-71-0x0000000000000000-mapping.dmp
-
memory/1992-69-0x0000000000000000-mapping.dmp
-
memory/1996-66-0x0000000000000000-mapping.dmp
-
memory/2024-68-0x0000000000000000-mapping.dmp