Analysis
-
max time kernel
88s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 14:46
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20220718-en
General
-
Target
svchost.exe
-
Size
479KB
-
MD5
4c6b01344809054252095695fe24aa5f
-
SHA1
d1571b19723ebb0def5a71b7d977ef4c5bdb66ab
-
SHA256
b20bdd03ad605edafccbed9cbf281d1fd370116dd07e335fc2f428e9efb2863b
-
SHA512
a26600e8233e90034a3a731246bdc634bc30478ea995c37317ef2e8139200f09446c4b78b500ffec5d7a84045790d0e80d20e4ba58cf28f0e4358f80e1db3af0
Malware Config
Extracted
asyncrat
0.5.7B
Default
secureyourdataarea1.duckdns.org:56390
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" svchost.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Async RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2040-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2040-67-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2040-70-0x000000000040C74E-mapping.dmp asyncrat behavioral1/memory/2040-73-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2040-75-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/2040-81-0x00000000010B0000-0x00000000010D2000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1716 svchost.exe 2040 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exepid process 272 svchost.exe 272 svchost.exe 1716 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1716 set thread context of 2040 1716 svchost.exe svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE svchost.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\svchost.com svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 1716 svchost.exe Token: SeDebugPrivilege 2040 svchost.exe Token: SeDebugPrivilege 972 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription pid process target process PID 272 wrote to memory of 1716 272 svchost.exe svchost.exe PID 272 wrote to memory of 1716 272 svchost.exe svchost.exe PID 272 wrote to memory of 1716 272 svchost.exe svchost.exe PID 272 wrote to memory of 1716 272 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 1716 wrote to memory of 2040 1716 svchost.exe svchost.exe PID 2040 wrote to memory of 972 2040 svchost.exe powershell.exe PID 2040 wrote to memory of 972 2040 svchost.exe powershell.exe PID 2040 wrote to memory of 972 2040 svchost.exe powershell.exe PID 2040 wrote to memory of 972 2040 svchost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe03⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exeFilesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exeFilesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exeFilesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\svchost.exeFilesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
\Users\Admin\AppData\Local\Temp\3582-490\svchost.exeFilesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
memory/272-54-0x0000000075DC1000-0x0000000075DC3000-memory.dmpFilesize
8KB
-
memory/972-85-0x000000006E040000-0x000000006E5EB000-memory.dmpFilesize
5.7MB
-
memory/972-84-0x000000006E040000-0x000000006E5EB000-memory.dmpFilesize
5.7MB
-
memory/972-82-0x0000000000000000-mapping.dmp
-
memory/1716-56-0x0000000000000000-mapping.dmp
-
memory/1716-59-0x00000000010D0000-0x0000000001144000-memory.dmpFilesize
464KB
-
memory/1716-62-0x0000000000AD0000-0x0000000000B0C000-memory.dmpFilesize
240KB
-
memory/2040-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-70-0x000000000040C74E-mapping.dmp
-
memory/2040-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-73-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-75-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-77-0x0000000000C90000-0x0000000000D0E000-memory.dmpFilesize
504KB
-
memory/2040-78-0x0000000000620000-0x000000000062A000-memory.dmpFilesize
40KB
-
memory/2040-79-0x0000000005F50000-0x0000000005FE0000-memory.dmpFilesize
576KB
-
memory/2040-80-0x0000000005450000-0x00000000054B0000-memory.dmpFilesize
384KB
-
memory/2040-81-0x00000000010B0000-0x00000000010D2000-memory.dmpFilesize
136KB
-
memory/2040-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB