Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31/08/2023, 18:01
Static task
static1
Behavioral task
behavioral1
Sample
svchost/svchost.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
svchost/svchost.exe
Resource
win10v2004-20230703-en
General
-
Target
svchost/svchost.exe
-
Size
268KB
-
MD5
43d08c0cf431e081e4b85515f8ed6e56
-
SHA1
980b13a9fbf712a80b45444dc63f9b95a8e2f4bc
-
SHA256
4f77019c9028fe94ff2995127578c40685b57ad4181cfd16c08a736e4a9cded2
-
SHA512
5d672c19aa02a09b8ecd5f59b421cb9399eca2a45982e0ef87e4fcedcacd67b200c8f9c6582e93c5285dcc2f5257e200d4e812c51ade165491986d36719a1293
-
SSDEEP
6144:Ta53bJhs0W69hd1MMdxPe9N9uA0Fu9TBAwzVgBxpyuDMk2kcVef+gKP3v:O1bjXFu9Tu8fd7/
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "mshta vbscript:msgbox(\"??????????!??????????!\",16,\"?????????\")(window.close)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\debugger = "mshta vbscript:msgbox(\"??????????!??????????!\",16,\"?????????\")(window.close)" regedit.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\1.vbs cmd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\svchost.exe cmd.exe File opened for modification C:\Windows\svchost.exe cmd.exe File opened for modification C:\Windows\2\31.reg cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
pid Process 2296 taskkill.exe 4260 taskkill.exe 4612 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings cmd.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4336 regedit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4260 taskkill.exe Token: SeDebugPrivilege 4612 taskkill.exe Token: SeDebugPrivilege 2296 taskkill.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4552 2428 svchost.exe 82 PID 2428 wrote to memory of 4552 2428 svchost.exe 82 PID 4552 wrote to memory of 4336 4552 cmd.exe 84 PID 4552 wrote to memory of 4336 4552 cmd.exe 84 PID 4552 wrote to memory of 4260 4552 cmd.exe 85 PID 4552 wrote to memory of 4260 4552 cmd.exe 85 PID 4552 wrote to memory of 4612 4552 cmd.exe 87 PID 4552 wrote to memory of 4612 4552 cmd.exe 87 PID 4552 wrote to memory of 1832 4552 cmd.exe 88 PID 4552 wrote to memory of 1832 4552 cmd.exe 88 PID 1832 wrote to memory of 4416 1832 WScript.exe 89 PID 1832 wrote to memory of 4416 1832 WScript.exe 89 PID 4416 wrote to memory of 2296 4416 cmd.exe 91 PID 4416 wrote to memory of 2296 4416 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7474.tmp\7475.tmp\7476.bat C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\regedit.exeRegedit /s C:\Windows\2\31.reg3⤵
- Sets file execution options in registry
- Runs .reg file with regedit
PID:4336
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im perfmon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\1.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im explorer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD54755ff4522eaa4071a841e4971a7ed2a
SHA14b1e5e11691b2f20c020dfbd0b35743ab43cfa8e
SHA256ffeb5830cec1234d357072b6504b2672485fd4a8b1c5b3e3514c511901c4a4ed
SHA512830232c626281131fe0c409fb3011e4267286fe32903b05229cf7ced77c00ec69c02cd60e93036306e2269688afdcfd005437f7812af713bdde0d30c446159ae
-
Filesize
444B
MD5ebe3fd17fde6d498bd530a57863644c0
SHA1fe76d4faa6cae714f1f650294f51b08af13ba85f
SHA256ae1fa8f693ab356dbf0f54aa49dad1781a16e0835d9a256773468427bddd6931
SHA512627355bfd1882318daef37956d7b036bff1ec819d4f2c9fdcbe25ab5d4c5fd7ef3386e3aa7b465da74f7acc01ffee39db3058ee717fb2bb56fc4f5e4c2414a7f
-
Filesize
829B
MD502bad85fcfc935f75f55a31db7de2fdb
SHA10c9a9a1e47f3a8fd9e278ec905be569cfdc63458
SHA25699d0f76cad13e4be4ae28c2214a6073b4ef7efe178734800759503c78e5302e5
SHA512e8017389393e4166c7d74b0e765314f236c03c0dda9d42c04824fe72654b9bf523b5cf70fa6f1f4718bb893451f62589785b9269b33b196f851f1960faee1253