Overview

overview

7

Static

static

3

svchost.exe

windows7-x64

7

svchost.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2023 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    3.0MB

  • MD5

    55363bf4d7dfa391a4ec21afea3187f3

  • SHA1

    37672a1d5150648ab7651b9290ebd68a68ef36ce

  • SHA256

    e1658d982758514877f382b0c5cfda1ce99720bd7aa707f36325981fe0a5a964

  • SHA512

    6190a784cfd1049b4854e9e87be47f134f7f5970100682fc2dd9064a1c1cd07d59f9ea4bb9dfc31dc58ee57fbb59c346168295fae7094bac8a80965495a13578

  • SSDEEP

    98304:8LfED1YNQ33vYz7KMelfsLdSFvfSKLHT:8Iks

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
        PID:364
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        2⤵
          PID:876
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:956
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:2016
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
          2⤵
            PID:1852
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {4592048F-6D6A-44BB-BCE5-C5A16118920C} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:832
            • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
              "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: SetClipboardViewer
              PID:836
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
              3⤵
                PID:1148
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:980
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
                  4⤵
                  • Creates scheduled task(s)
                  PID:1872
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
                3⤵
                  PID:1240
              • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
                C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
                2⤵
                • Executes dropped EXE
                PID:1888

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
              Filesize

              3.0MB

              MD5

              55363bf4d7dfa391a4ec21afea3187f3

              SHA1

              37672a1d5150648ab7651b9290ebd68a68ef36ce

              SHA256

              e1658d982758514877f382b0c5cfda1ce99720bd7aa707f36325981fe0a5a964

              SHA512

              6190a784cfd1049b4854e9e87be47f134f7f5970100682fc2dd9064a1c1cd07d59f9ea4bb9dfc31dc58ee57fbb59c346168295fae7094bac8a80965495a13578

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
              Filesize

              3.0MB

              MD5

              55363bf4d7dfa391a4ec21afea3187f3

              SHA1

              37672a1d5150648ab7651b9290ebd68a68ef36ce

              SHA256

              e1658d982758514877f382b0c5cfda1ce99720bd7aa707f36325981fe0a5a964

              SHA512

              6190a784cfd1049b4854e9e87be47f134f7f5970100682fc2dd9064a1c1cd07d59f9ea4bb9dfc31dc58ee57fbb59c346168295fae7094bac8a80965495a13578

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
              Filesize

              3.0MB

              MD5

              55363bf4d7dfa391a4ec21afea3187f3

              SHA1

              37672a1d5150648ab7651b9290ebd68a68ef36ce

              SHA256

              e1658d982758514877f382b0c5cfda1ce99720bd7aa707f36325981fe0a5a964

              SHA512

              6190a784cfd1049b4854e9e87be47f134f7f5970100682fc2dd9064a1c1cd07d59f9ea4bb9dfc31dc58ee57fbb59c346168295fae7094bac8a80965495a13578

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
              Filesize

              3.0MB

              MD5

              55363bf4d7dfa391a4ec21afea3187f3

              SHA1

              37672a1d5150648ab7651b9290ebd68a68ef36ce

              SHA256

              e1658d982758514877f382b0c5cfda1ce99720bd7aa707f36325981fe0a5a964

              SHA512

              6190a784cfd1049b4854e9e87be47f134f7f5970100682fc2dd9064a1c1cd07d59f9ea4bb9dfc31dc58ee57fbb59c346168295fae7094bac8a80965495a13578

              Download Submit

            • memory/364-66-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/364-69-0x00000000008E0000-0x0000000000920000-memory.dmp

              Filesize

              256KB

              Download

            • memory/364-60-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/364-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/364-62-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/364-64-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/364-57-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/364-59-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/364-70-0x00000000008E0000-0x0000000000920000-memory.dmp

              Filesize

              256KB

              Download

            • memory/364-58-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/832-73-0x00000000010B0000-0x00000000013BC000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/836-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/836-85-0x0000000004B80000-0x0000000004BC0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2040-54-0x0000000000AD0000-0x0000000000DDC000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/2040-56-0x00000000044D0000-0x0000000004510000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2040-55-0x00000000044D0000-0x0000000004510000-memory.dmp

              Filesize

              256KB

              Download