Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    275s
  • max time network
    301s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2800
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:924
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:2308
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1448
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:1084
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:2360
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2008
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      06f115459e4fa530989aaea221550a97

      SHA1

      bc025f3859373e3a674b1831af4cc5ef35cd59ce

      SHA256

      4a944298f7cd093e082bfb210524d1831974751a453b0c17abdccd80f865f65f

      SHA512

      ef1df74c90b22be28e104a83ab7f93e03440d56506a70cbd18e93000db784421edc58d468ec97612b365cd683b65b8e1fe6aa9f4f4693bdaf27f6794fb44f402

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
      Filesize

      2.7MB

      MD5

      277abb67ec3376d7c576732a62c39916

      SHA1

      70faa899ea7c8618289668813f04c69613fd6995

      SHA256

      62ce6ee974509a141b66d66c4dfe41565f9ba90f3d62cd286d7a08834f2b10d4

      SHA512

      f385313c49f7b153488f12be7ea04ed5c1220a85b7dc1382dcb862b8d5b155c5999971d3e8c7b37abdfcf8c2ff23f971a0a477a24f23ff8d08e2bcbe90f5021b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
      Filesize

      14.8MB

      MD5

      5d6be28658fdb01fc091080423662dea

      SHA1

      9383367722466034c00dcdca9643a35234b68a64

      SHA256

      d5e49a55468e2aab3f1fa8a44af938566494eede12a4c21944ab9fe6d71a03fb

      SHA512

      be15ae2cb866edbd3d3fca50e774f4bb03352b93b555a55606da2ac66497781d91f3c5b6e184136ea31bc805e7c851d188c527c4d6753fefa8f90f6901e378ba

      Download Submit

    • C:\Windows\system\svchost.exe
      Filesize

      5.2MB

      MD5

      5fd3d21a968f4b8a1577b5405ab1c36a

      SHA1

      710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

      SHA256

      7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

      SHA512

      085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

      Download Submit

    • memory/944-54-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/944-60-0x000000001EF60000-0x000000001F442000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/944-33-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1836-55-0x0000000002CB0000-0x0000000002D30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1836-59-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1836-56-0x0000000002CB0000-0x0000000002D30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1836-58-0x0000000002CBB000-0x0000000002D22000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1836-57-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-47-0x0000000002B00000-0x0000000002B80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2008-46-0x0000000002B00000-0x0000000002B80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2008-53-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-40-0x000000001B680000-0x000000001B962000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2008-41-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-43-0x0000000002790000-0x0000000002798000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2008-42-0x0000000002B00000-0x0000000002B80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2008-44-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-45-0x0000000002B00000-0x0000000002B80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2260-14-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2260-12-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2260-5-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2260-11-0x0000000002810000-0x0000000002818000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2260-21-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2260-20-0x00000000028B0000-0x0000000002930000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2260-19-0x00000000028B0000-0x0000000002930000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2260-13-0x00000000028B0000-0x0000000002930000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2328-18-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2328-0-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2328-34-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2328-31-0x0000000040D80000-0x00000000413B6000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2328-32-0x0000000040D80000-0x00000000413B6000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2596-16-0x0000000002E20000-0x0000000002EA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2596-17-0x0000000002E24000-0x0000000002E27000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2596-15-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

      Filesize

      9.6MB

      Download