Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    597s
  • max time network
    614s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-04-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 6 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:1144
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:1676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:4944
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:4936
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1332
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:1192
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:1920
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4260
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4508
        • C:\Users\Admin\AppData\Local\Temp\~tl6F60.tmp
          C:\Users\Admin\AppData\Local\Temp\~tl6F60.tmp
          3⤵
          • Executes dropped EXE
          PID:3344
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:708
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        2⤵
          PID:2020
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          2⤵
          • Modifies Windows Firewall
          PID:1408
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          2⤵
          • Modifies Windows Firewall
          PID:2356
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1952
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:3740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        aa4f31835d07347297d35862c9045f4a

        SHA1

        83e728008935d30f98e5480fba4fbccf10cefb05

        SHA256

        99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

        SHA512

        ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        050567a067ffea4eb40fe2eefebdc1ee

        SHA1

        6e1fb2c7a7976e0724c532449e97722787a00fec

        SHA256

        3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

        SHA512

        341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tic3fei5.tkv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~tl6F60.tmp
        Filesize

        385KB

        MD5

        e802c96760e48c5139995ffb2d891f90

        SHA1

        bba3d278c0eb1094a26e5d2f4c099ad685371578

        SHA256

        cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

        SHA512

        97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus
        Filesize

        2.7MB

        MD5

        277abb67ec3376d7c576732a62c39916

        SHA1

        70faa899ea7c8618289668813f04c69613fd6995

        SHA256

        62ce6ee974509a141b66d66c4dfe41565f9ba90f3d62cd286d7a08834f2b10d4

        SHA512

        f385313c49f7b153488f12be7ea04ed5c1220a85b7dc1382dcb862b8d5b155c5999971d3e8c7b37abdfcf8c2ff23f971a0a477a24f23ff8d08e2bcbe90f5021b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        6.5MB

        MD5

        96313abec4cdced9d3a5fe4e7f663c2d

        SHA1

        e9bd81dd2ee3db0e5fd42250b2f6daf5f3b187a3

        SHA256

        3602f8f699d5948f1dd37a7b8ffb31af1cb8cedc43c49155f201095a90fa7352

        SHA512

        13092c7c57a8a3db73e3420b74778bf0341b6aa11dcc838370f313ad6da9ab22f90b9d09248856650e696e5e5bf77cdc0cc06d974b94d743098d503a4dbf4f0f

        Download Submit

      • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
        Filesize

        2.6MB

        MD5

        9bae03d3dc0f5cfd40507ee03ba5a765

        SHA1

        bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

        SHA256

        ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

        SHA512

        2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

        Download Submit

      • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        5.9MB

        MD5

        3bb406e80a0aecf48a2caf20998902ca

        SHA1

        40990ee9b6d58f838c61d2868cf1115a9e3a24d3

        SHA256

        3a25f4222b7d3cf7e6fc023878491aa9704ab11da0de9dabfe42ae29c151bea3

        SHA512

        a1b343efc893d2c79c5aa4b702f93666de1c6393d08e7988ae1ca8a0547945af55791a595496e287fd47b6b4f249149cc2a6897bc2ac30cb33c57c4b6fb2495f

        Download Submit

      • C:\Windows\System\svchost.exe
        Filesize

        5.2MB

        MD5

        5fd3d21a968f4b8a1577b5405ab1c36a

        SHA1

        710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

        SHA256

        7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

        SHA512

        085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

        Download Submit

      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        4KB

        MD5

        dbbd2d4458d7e8094846420da595dfc3

        SHA1

        267cb47b904f14a519d2bd73abfdb30e1a06e1a6

        SHA256

        e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

        SHA512

        480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

        Download Submit

      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        f2dd68ab8e611f0143c6ad176f223ae9

        SHA1

        30f580175773f251a9572fe757de6eaef6844abc

        SHA256

        f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

        SHA512

        f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

        Download Submit

      • memory/708-132-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/708-188-0x000000002BCA0000-0x000000002C182000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/988-41-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/988-54-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/988-127-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/988-75-0x00000000368E0000-0x0000000036DC2000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1952-175-0x000001DFC3A10000-0x000001DFC3A2A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1952-172-0x00007FF40E570000-0x00007FF40E580000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1952-130-0x00007FF9BEFA0000-0x00007FF9BFA62000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1952-131-0x000001DFC33A0000-0x000001DFC33B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1952-177-0x000001DFC39F0000-0x000001DFC39F6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1952-183-0x00007FF9BEFA0000-0x00007FF9BFA62000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1952-179-0x000001DFC33A0000-0x000001DFC33B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2752-11-0x0000027CC2990000-0x0000027CC29A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2752-32-0x00007FF9BEAE0000-0x00007FF9BF5A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-7-0x0000027CC2990000-0x0000027CC29A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2752-12-0x0000027CC2AF0000-0x0000027CC2B12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2752-6-0x00007FF9BEAE0000-0x00007FF9BF5A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2840-28-0x00007FF9BEAE0000-0x00007FF9BF5A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2840-15-0x000001EA43920000-0x000001EA43930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2840-25-0x000001EA43920000-0x000001EA43930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2840-16-0x000001EA43920000-0x000001EA43930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2840-14-0x00007FF9BEAE0000-0x00007FF9BF5A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3344-128-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3344-125-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3740-176-0x00000201F4740000-0x00000201F4748000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3740-174-0x00000201F4730000-0x00000201F473A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3740-149-0x00007FF9BEFA0000-0x00007FF9BFA62000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3740-150-0x00000201DBB80000-0x00000201DBB90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3740-187-0x00007FF9BEFA0000-0x00007FF9BFA62000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3740-180-0x00000201DBB80000-0x00000201DBB90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3740-151-0x00000201DBB80000-0x00000201DBB90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3740-160-0x00000201F4400000-0x00000201F441C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3740-161-0x00000201F4420000-0x00000201F44D3000-memory.dmp

        Filesize

        716KB

        Download

      • memory/3740-162-0x00007FF4639B0000-0x00007FF4639C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3740-171-0x00000201F41F0000-0x00000201F41FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3740-178-0x00000201F4780000-0x00000201F478A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3740-173-0x00000201F4750000-0x00000201F476C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4260-73-0x00007FF9BE730000-0x00007FF9BF1F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4260-68-0x000001A5270D0000-0x000001A5270E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4260-45-0x000001A5270D0000-0x000001A5270E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4260-67-0x000001A5270D0000-0x000001A5270E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4260-44-0x000001A5270D0000-0x000001A5270E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4260-43-0x00007FF9BE730000-0x00007FF9BF1F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4508-74-0x00007FF9BE730000-0x00007FF9BF1F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4508-56-0x0000020F21300000-0x0000020F21310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4508-55-0x00007FF9BE730000-0x00007FF9BF1F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4508-66-0x0000020F21300000-0x0000020F21310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4508-69-0x0000020F21300000-0x0000020F21310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4956-13-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4956-0-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4956-42-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download