svchost[.]exe | Triage

Resubmissions

14/05/2023, 15:45

230514-s7ha9sef31 3

14/05/2023, 15:43

230514-s52bcscc73 3

Sharing

Copy URL Twitter E-mail

General

Target

svchost.exe
Size

3.0MB
MD5

a43db5461cd2eddd7a4e7d9ed7eed711
SHA1

788fdc9670a5c7113d20fa1fee6c6bfc36952753
SHA256

f6493faef3d521d3626d3099f860ab1565d5b80fa2edf5c720a528c5fab48526
SHA512

7306d9d4a009f17b74fb5abc866d9b3498d33159c0963632f3f2c2bd8b2d5e38cebe7c55f9faa78a1c027905e294d5132bc0823e14ae0763fcbcbd65244f9917
SSDEEP

49152:YErWbwqLED/x4k3Vnh7Iy9axOnlRgAQkWpqDEgCc:Yr69axKlRgJqDEgCc

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
svchost.exe

Files

svchost.exe
.exe windows x64

9d5e8eb9b1efcdd6768ff42ab840023b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

secur32

DeleteSecurityContext
EncryptMessage
ApplyControlToken
AcquireCredentialsHandleA
FreeCredentialsHandle
InitializeSecurityContextW
AcceptSecurityContext
FreeContextBuffer
DecryptMessage
QueryContextAttributesW

kernel32

GetProcAddress
TryAcquireSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockShared
GetCurrentProcess
GetSystemInfo
SetHandleInformation
GetCurrentProcessId
PostQueuedCompletionStatus
CreateIoCompletionPort
GetQueuedCompletionStatusEx
SetFileCompletionNotificationModes
Sleep
GetModuleHandleA
GetFileInformationByHandle
ReleaseMutex
FindClose
GetLastError
AddVectoredExceptionHandler
SetThreadStackGuarantee
GetCurrentThread
SwitchToThread
RtlCaptureContext
RtlLookupFunctionEntry
SetLastError
GetCurrentDirectoryW
GetEnvironmentVariableW
ReleaseSRWLockExclusive
WaitForSingleObject
QueryPerformanceCounter
QueryPerformanceFrequency
HeapAlloc
GetProcessHeap
HeapFree
HeapReAlloc
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
FindNextFileW
CreateFileW
DeviceIoControl
FindFirstFileW
GetFinalPathNameByHandleW
GetModuleHandleW
FormatMessageW
GetFullPathNameW
CreateThread
TlsGetValue
TlsSetValue
GetSystemTimeAsFileTime
GetConsoleMode
WriteConsoleW
CloseHandle
AcquireSRWLockExclusive
GetCurrentThreadId
InitializeSListHead
RtlVirtualUnwind
IsDebuggerPresent
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStdHandle

bcrypt

BCryptGenRandom

advapi32

RegCloseKey
RegQueryValueExW
RegOpenKeyExW
GetUserNameW
SystemFunction036

ws2_32

getpeername
shutdown
recv
send
setsockopt
WSAIoctl
bind
connect
getsockname
WSASend
ioctlsocket
closesocket
getaddrinfo
freeaddrinfo
WSAStartup
getsockopt
WSASocketW
WSAGetLastError
WSACleanup

crypt32

CertGetCertificateChain
CertFreeCertificateContext
CertDuplicateCertificateContext
CertDuplicateStore
CertCloseStore
CertOpenStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertDuplicateCertificateChain
CertVerifyCertificateChainPolicy

ntdll

RtlNtStatusToDosError
NtDeviceIoControlFile
NtCancelIoFileEx
NtCreateFile

vcruntime140

memcpy
memcmp
memset
memmove
_CxxThrowException
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_c_exit
_cexit
__p___argv
__p___argc
_initialize_onexit_table
_register_onexit_function
exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_set_app_type
_seh_filter_exe
terminate
_exit
_crt_atexit

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 977KB - Virtual size: 977KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 118KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

9d5e8eb9b1efcdd6768ff42ab840023b

Headers

DLL Characteristics

File Characteristics

Imports

secur32

kernel32

bcrypt

advapi32

ws2_32

crypt32

ntdll

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 977KB - Virtual size: 977KB

.data Size: 12KB - Virtual size: 12KB

.pdata Size: 118KB - Virtual size: 118KB

.reloc Size: 18KB - Virtual size: 17KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 977KB - Virtual size: 977KB

.data
Size: 12KB - Virtual size: 12KB

.pdata
Size: 118KB - Virtual size: 118KB

.reloc
Size: 18KB - Virtual size: 17KB