b0cf99edf8af0ae79fa70a46fd38f03fea4146067ab41e9aea100aa4c96a2d38

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

283KB
MD5

820999a17f6c2b1d67b4d81db8a9be4a
SHA1

db2349dde07e3bc8ecd9ef8704be7fe8d923a587
SHA256

b0cf99edf8af0ae79fa70a46fd38f03fea4146067ab41e9aea100aa4c96a2d38
SHA512

211433be1d58b14c7f7d229a27607716b3f6db94aeeb054888d48f167b7ad0a996c5ccf413ff6b2857545a2f4b178d883e97ebbff0bcf4d6caa350dcabc746bb
SSDEEP

6144:Aj12paTknvnpNjsxpwcG+eYkmlynjsETa4HXueA1qDf0eTL2gFK:i2pbvCtGvYkm1ETx3ueAADTag

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2984	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b186bd30a9f87b8492726112c5cb4ad.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b186bd30a9f87b8492726112c5cb4ad.exe	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6b186bd30a9f87b8492726112c5cb4ad = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6b186bd30a9f87b8492726112c5cb4ad = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe
Token: 33	1668	svchost.exe
Token: SeIncBasePriorityPrivilege	1668	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2984	1668	svchost.exe	84
PID 1668 wrote to memory of 2984	1668	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SYSTEM32\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b186bd30a9f87b8492726112c5cb4ad.exe

Filesize
283KB

MD5
820999a17f6c2b1d67b4d81db8a9be4a

SHA1
db2349dde07e3bc8ecd9ef8704be7fe8d923a587

SHA256
b0cf99edf8af0ae79fa70a46fd38f03fea4146067ab41e9aea100aa4c96a2d38

SHA512
211433be1d58b14c7f7d229a27607716b3f6db94aeeb054888d48f167b7ad0a996c5ccf413ff6b2857545a2f4b178d883e97ebbff0bcf4d6caa350dcabc746bb

Download Submit
memory/1668-133-0x0000000000140000-0x000000000018C000-memory.dmp

Filesize
304KB

Download
memory/1668-134-0x000000001B3C0000-0x000000001B466000-memory.dmp

Filesize
664KB

Download
memory/1668-135-0x0000000002560000-0x000000000256E000-memory.dmp

Filesize
56KB

Download
memory/1668-136-0x000000001D4D0000-0x000000001D99E000-memory.dmp

Filesize
4.8MB

Download
memory/1668-139-0x000000001DB40000-0x000000001DBDC000-memory.dmp

Filesize
624KB

Download
memory/1668-140-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download