Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    599s
  • max time network
    605s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2704
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:2988
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:2284
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:676
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2144
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2240
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {E6B014F6-BAAD-4DDE-B6D9-483554F8D0B8} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1688
      • \??\c:\windows\system\svchost.exe
        c:\windows\system\svchost.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Modifies data under HKEY_USERS
          PID:2696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      751043a96d62b046d58a097551260634

      SHA1

      eb51ee80ef291e220c91ba2770cd4f4fa20845ad

      SHA256

      fa93f5bafb6a4a9c563cff952bc3f7894c86005f16d02a5e63d52c20776d6f05

      SHA512

      dac0e2619903c04363e372f694dd636bba934203af21a2e62d1b8d6f9b49350925a569c9323d31378d39ebae6ce085ffbf68414fb0e1e2c83ad81a307e78642a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      0302dfb348b7875b28f351aa6b983a90

      SHA1

      ca9bc34bff2c0acc6bf84becc34438826e3f45fe

      SHA256

      6148ff31fdc0aa9683ba7e7a1e1b52f6049caa7c93e7ba45cd2914a2a28c7679

      SHA512

      56901914b342f5e6c0f84c00478bbc8f4cf97b2798b39bb9479c40f30c5ad72d5c073fbf25068dfd11e41345acb25255f6bd13a5247918b32888a59d818e205b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
      Filesize

      2.6MB

      MD5

      9bae03d3dc0f5cfd40507ee03ba5a765

      SHA1

      bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

      SHA256

      ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

      SHA512

      2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
      Filesize

      5.9MB

      MD5

      d75d4155f55da61400b7d2d1df7e3918

      SHA1

      bf0872db85c9c3965c97a19b937ee8f1e5d8a40c

      SHA256

      f23b699355673d69291d76327b226d42c361b5063e02b83573b776952036763c

      SHA512

      6246ec06c2bd1bdac42f1fd69b0423dafd308ea8a594b4b54faf281a0e089dbc42a9ce62e46fcb662e49a39223bc0b747b7c6cc539c2957de0f0ee91871f381a

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \Windows\system\svchost.exe
      Filesize

      5.2MB

      MD5

      5fd3d21a968f4b8a1577b5405ab1c36a

      SHA1

      710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

      SHA256

      7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

      SHA512

      085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

      Download Submit

    • memory/1676-62-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1676-67-0x000000001EC50000-0x000000001F132000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1676-37-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1688-122-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1688-120-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1824-121-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2144-54-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2144-55-0x0000000002A30000-0x0000000002AB0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2144-51-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2144-53-0x0000000002A30000-0x0000000002AB0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2144-52-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2144-50-0x000000001B300000-0x000000001B5E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2144-59-0x0000000002A30000-0x0000000002AB0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2144-63-0x0000000002A30000-0x0000000002AB0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2144-65-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2240-61-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2240-56-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2240-66-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2240-64-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2240-58-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2240-60-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2240-57-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-22-0x0000000002A70000-0x0000000002AF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-21-0x0000000002A70000-0x0000000002AF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-10-0x000000001B490000-0x000000001B772000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2524-12-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-13-0x0000000002A70000-0x0000000002AF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-19-0x0000000002A70000-0x0000000002AF0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-14-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-25-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2956-36-0x0000000040900000-0x0000000040F36000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2956-34-0x0000000040900000-0x0000000040F36000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2956-0-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2956-23-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2956-38-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2976-18-0x0000000002570000-0x00000000025F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2976-17-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-16-0x0000000002570000-0x00000000025F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2976-15-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-24-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-20-0x0000000002570000-0x00000000025F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2976-11-0x0000000002410000-0x0000000002418000-memory.dmp

      Filesize

      32KB

      Download