7e615d6e77cac47e870af31dedd5e54deb422f65711e4bb09d7186a9efb2cf0f

Analysis

max time kernel
1800s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 15:25

Target

svchost.exe
Size

704KB
MD5

d2ec63b63e88ece47fbaab1ca22da1ef
SHA1

dd52fcc042a44a2af9e43c15a8e520b54128cdc8
SHA256

e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
SHA512

89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e
SSDEEP

12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus

Score

7^/10

Drops startup file 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk svchost.exe
Drops desktop.ini file(s) 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini svchost.exe
File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1656 svchost.exe
Token: 33 1656 svchost.exe
Token: SeIncBasePriorityPrivilege 1656 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1656	svchost.exe
Token: 33	1656	svchost.exe
Token: SeIncBasePriorityPrivilege	1656	svchost.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1656-0-0x00007FFA725E0000-0x00007FFA72F81000-memory.dmp

Filesize
9.6MB

Download
memory/1656-2-0x00007FFA725E0000-0x00007FFA72F81000-memory.dmp

Filesize
9.6MB

Download
memory/1656-1-0x000000001BB00000-0x000000001BFCE000-memory.dmp

Filesize
4.8MB

Download
memory/1656-3-0x000000001D0A0000-0x000000001D13C000-memory.dmp

Filesize
624KB

Download
memory/1656-4-0x000000001D1B0000-0x000000001D212000-memory.dmp

Filesize
392KB

Download
memory/1656-5-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1656-6-0x000000001D5B0000-0x000000001D602000-memory.dmp

Filesize
328KB

Download
memory/1656-14-0x0000000002E40000-0x0000000003E40000-memory.dmp

Filesize
16.0MB

Download
memory/1656-15-0x00007FFA725E0000-0x00007FFA72F81000-memory.dmp

Filesize
9.6MB

Download
memory/1656-16-0x0000000002E40000-0x0000000003E40000-memory.dmp

Filesize
16.0MB

Download