Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:19
Behavioral task
behavioral1
Sample
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe
Resource
win7-20231129-en
General
-
Target
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe
-
Size
3.5MB
-
MD5
a9e5109e14562508b2b2a03a60dc7202
-
SHA1
bbe5b84d9d3ad7ca2fb34602182297f3ae669611
-
SHA256
c62d65e49cda2653b185ba181c1ad775955e10f6550acde60562e90d35861045
-
SHA512
1e93b71a563e3f853f0a8d7ca83d32b147a058bb9dba4867cec31cce68a1d19357442b3684c10014be025570fef7e5b432d9ad007b915b0df9428390b2b718e4
-
SSDEEP
49152:XkLUJbzk8o21UsNT7I35W4AShA+SdhtkCu/BaC8UWF:X7XkkNpIJAkA+otSZax
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 756 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\325ed1ae2a47f27cdcc228f42fff7da3.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\325ed1ae2a47f27cdcc228f42fff7da3.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4816 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\325ed1ae2a47f27cdcc228f42fff7da3 = "\"C:\\Windows\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\325ed1ae2a47f27cdcc228f42fff7da3 = "\"C:\\Windows\\svchost.exe\" .." svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svchost.exedescription ioc process File created C:\autorun.inf svchost.exe File opened for modification C:\autorun.inf svchost.exe File created D:\autorun.inf svchost.exe File created F:\autorun.inf svchost.exe File opened for modification F:\autorun.inf svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exesvchost.exedescription ioc process File created C:\Windows\svchost.exe 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe File opened for modification C:\Windows\svchost.exe 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe File opened for modification C:\Windows\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe Token: 33 4816 svchost.exe Token: SeIncBasePriorityPrivilege 4816 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2168-37-0x0000000000EA0000-0x0000000001216000-memory.exesvchost.exedescription pid process target process PID 4788 wrote to memory of 4816 4788 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe svchost.exe PID 4788 wrote to memory of 4816 4788 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe svchost.exe PID 4788 wrote to memory of 4816 4788 2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe svchost.exe PID 4816 wrote to memory of 756 4816 svchost.exe netsh.exe PID 4816 wrote to memory of 756 4816 svchost.exe netsh.exe PID 4816 wrote to memory of 756 4816 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe"C:\Users\Admin\AppData\Local\Temp\2168-37-0x0000000000EA0000-0x0000000001216000-memory.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchost.exeFilesize
896KB
MD5ade6c287437bd9e0a19ac57b69152eed
SHA1d400b88ad5ce5962e045ae052c520383195e0ddf
SHA256735abba65af7f5ec8ee311ec0c11d1f18fb5b78796d518e07d73966a038d111e
SHA512b4187545f5d053b57d1209c020fe05109a85fc0465b8da0b1946af6ca619fd3dfc2ee7d10a6f8c36c21f08dc9db980f84c7400afa4b96f2a90b8bb6d71a52984
-
C:\Windows\svchost.exeFilesize
2.0MB
MD5f2e186c3ebc708a2a4f88ef637ee0e75
SHA148fea8b368916053d348f10f54a8ef37f4f9d341
SHA25675bcd94b72aaf597ab1c1a6267c615a7b97b32f0fb50bd2d5e9f01564115acc4
SHA512e30ef40f696155e1e720659e3b26844e34af7441f7b5f269c717f9eb7aa24dc3bb846bc0f0252b75ff093ec8f3979015a5ee5793a75dd3365f69b355df74a4ed
-
C:\Windows\svchost.exeFilesize
733KB
MD57de00bc378444e9621b4e21894d5a2f8
SHA10ebd3adc3e12dcaaf6e06d59a4c8b2bb5736f559
SHA256f7a57ea4472598bd9fb2e03e9388130246d45fb5f1a4c261f86aa50b10d27208
SHA5127599b4716daa17c4d0d01f52445f70df8d97bfafea3586f9b302eb0ab0121f31afe5ffa42093f03a05d78c9bf5efc88bbe307dd9717ccc7df53eec36cd0cefdc
-
memory/4788-1-0x0000000001160000-0x0000000001170000-memory.dmpFilesize
64KB
-
memory/4788-0-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4788-2-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4788-12-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4816-13-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4816-14-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4816-24-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB