svchost[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

svchost.exe
Size

54KB
MD5

b7f884c1b74a263f746ee12a5f7c9f6a
SHA1

1bc5066ddf693fc034d6514618854e26a84fd0d1
SHA256

add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88
SHA512

299595b1f6c581f8dfbd620b9df04cf0bd628a80d39c9770549a49db4c8d14b11013e1b88d093d53393808061cd3f803ca5fc30a3a8496fcd8a1b044eb8ba059
SSDEEP

768:yCsmFHQ68l82s0GSNvJmEbcetbPamvK+mdGq3jXu2YCD8HVjQ9OQ1PQdMufiC9z3:y12HQC2s0GivbBti7bYRu9BP4Vz3

Score

1^/10

Malware Config

Signatures

Files

svchost.exe
.exe windows x64

247b9220e5d9b720a82b2c8b5069ad69

Code Sign

33:00:00:03:6c:e5:7e:eb:5d:1c:c2:be:17:00:00:00:00:03:6c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27-01-2022 19:31

Not After

26-01-2023 19:31

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cb:fa:85:7c:a8:f9:bd:af:bf:b4:30:f0:ea:c7:35:60:99:e8:b0:81:2c:0e:f2:9a:85:a6:7d:0c:76:e3:f0:58
Signer

Actual PE Digest

cb:fa:85:7c:a8:f9:bd:af:bf:b4:30:f0:ea:c7:35:60:99:e8:b0:81:2c:0e:f2:9a:85:a6:7d:0c:76:e3:f0:58

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

07-02-2023 20:48
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-core-crt-l2-1-0

_initterm
_initterm_e
__wgetmainargs
exit

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
OpenProcessToken
TerminateProcess
SetProcessAffinityUpdateMode
ExitProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount64
GetTickCount

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetErrorMode
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-service-private-l1-1-3

I_RegisterSvchostNotificationCallback

api-ms-win-core-crt-l1-1-0

qsort_s
memcpy
memset
_wcsicmp

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary
LoadLibraryExW

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc
HeapSetInformation

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
ReleaseSRWLockShared
AcquireSRWLockShared
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection

api-ms-win-service-winsvc-l1-1-0

RegisterServiceCtrlHandlerW

api-ms-win-service-core-l1-1-0

SetServiceStatus
StartServiceCtrlDispatcherW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringOrdinal

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryValueExW
RegDisablePredefinedCacheEx
RegOpenKeyExW
RegGetValueW
RegEnumKeyExW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-processthreads-l1-1-1

SetProcessMitigationPolicy

api-ms-win-core-processthreads-l1-1-2

SetProtectedPolicy

rpcrt4

RpcServerUnregisterIf
I_RpcMapWin32Status
RpcMgmtSetServerStackSize
I_RpcServerDisableExceptionFilter
RpcServerUseProtseqEpW
RpcServerUnregisterIfEx
RpcMgmtStopServerListening
RpcServerListen
RpcMgmtWaitServerListen
RpcServerRegisterIf

api-ms-win-core-localization-l1-2-0

LCMapStringW

api-ms-win-security-base-l1-1-0

SetSecurityDescriptorGroup
SetSecurityDescriptorDacl
MakeAbsoluteSD
AddAccessAllowedAce
GetTokenInformation
GetLengthSid
InitializeAcl
SetSecurityDescriptorOwner
InitializeSecurityDescriptor

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventSetInformation
EventWriteTransfer

api-ms-win-crt-utility-l1-1-0

bsearch_s

api-ms-win-core-sidebyside-l1-1-0

ActivateActCtx
DeactivateActCtx
ReleaseActCtx
CreateActCtxW

api-ms-win-core-threadpool-private-l1-1-0

RegisterWaitForSingleObjectEx

ntdll

RtlQueryHeapInformation
TpAllocTimer
_vsnwprintf
EtwEventEnabled
TpReleaseWait
RtlNtStatusToDosErrorNoTeb
TpSetWait
TpAllocWait
EtwEventRegister
RtlUnhandledExceptionFilter
NtSetInformationProcess
RtlSetProcessIsCritical
TpSetTimerEx
TpSetTimer
RtlImageNtHeader
RtlValidSecurityDescriptor
NtQuerySystemInformation
RtlRunOnceExecuteOnce
RtlNtStatusToDosError
RtlFreeHeap
EtwEventWrite
TpReleaseTimer
RtlInitializeCriticalSection
RtlInitializeSid
RtlSubAuthoritySid
RtlGetDeviceFamilyInfoEnum
RtlReleaseSRWLockExclusive
RtlSubAuthorityCountSid
RtlAcquireSRWLockExclusive
RtlLengthRequiredSid
RtlDeriveCapabilitySidsFromName
RtlCopySid
TpWaitForTimer
RtlAllocateHeap

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 108B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

247b9220e5d9b720a82b2c8b5069ad69

Code Sign

33:00:00:03:6c:e5:7e:eb:5d:1c:c2:be:17:00:00:00:00:03:6cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

cb:fa:85:7c:a8:f9:bd:af:bf:b4:30:f0:ea:c7:35:60:99:e8:b0:81:2c:0e:f2:9a:85:a6:7d:0c:76:e3:f0:58Signer

Signature Validations

Verification

07-02-2023 20:48 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-core-crt-l2-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-service-private-l1-1-3

api-ms-win-core-crt-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-processthreads-l1-1-2

rpcrt4

api-ms-win-core-localization-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

api-ms-win-core-threadpool-private-l1-1-0

ntdll

api-ms-win-core-heap-l2-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 14KB - Virtual size: 13KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 2KB - Virtual size: 1KB

.didat Size: 512B - Virtual size: 48B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 108B

33:00:00:03:6c:e5:7e:eb:5d:1c:c2:be:17:00:00:00:00:03:6c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

cb:fa:85:7c:a8:f9:bd:af:bf:b4:30:f0:ea:c7:35:60:99:e8:b0:81:2c:0e:f2:9a:85:a6:7d:0c:76:e3:f0:58
Signer

07-02-2023 20:48
Valid: false

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 1KB

.didat
Size: 512B - Virtual size: 48B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 108B