Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    1160s
  • max time network
    1172s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240319-en
  • resource tags

    arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-04-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3200
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:8
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:4296
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1060
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:332
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:1652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4284
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4292
        • C:\Users\Admin\AppData\Local\Temp\~tl5D73.tmp
          C:\Users\Admin\AppData\Local\Temp\~tl5D73.tmp
          3⤵
          • Executes dropped EXE
          PID:4236
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        2⤵
          PID:3264
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          2⤵
          • Modifies Windows Firewall
          PID:3740
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          2⤵
          • Modifies Windows Firewall
          PID:2164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:2212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:2364
        • C:\Windows\TEMP\~tl3A76.tmp
          C:\Windows\TEMP\~tl3A76.tmp
          2⤵
          • Executes dropped EXE
          PID:4876

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3284cb698efa6fb773dc0eebd30a3214

        SHA1

        a1093d44f025e5ba9609e99a3fc5fce3723fd7f3

        SHA256

        22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa

        SHA512

        af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        34e3230cb2131270db1af79fb3d57752

        SHA1

        21434dd7cf3c4624226b89f404fd7982825f8ac6

        SHA256

        0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39

        SHA512

        3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5swiflf.o4j.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~tl5D73.tmp
        Filesize

        385KB

        MD5

        e802c96760e48c5139995ffb2d891f90

        SHA1

        bba3d278c0eb1094a26e5d2f4c099ad685371578

        SHA256

        cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

        SHA512

        97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus
        Filesize

        2.6MB

        MD5

        9bae03d3dc0f5cfd40507ee03ba5a765

        SHA1

        bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

        SHA256

        ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

        SHA512

        2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        8.2MB

        MD5

        5da0c8eff12049ac8906bd66fc1a18e2

        SHA1

        6ac3c5c73bbf8f53c30f376c0a7dc2d1a9d14353

        SHA256

        6049f8ab14c6079aed8af1e03a356ab7faa31deecce7f86b42a8b57e08329d00

        SHA512

        549c7eaaa5b9cabee59e023967ffa25aad69b91d471ddc5606905ed38b65e27c855b0990b9fcb20392e44b0f5392dbc7d7555cf331d92702e98949af620889b1

        Download Submit

      • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
        Filesize

        6.3MB

        MD5

        3e6ce4eeacdb569ea1a6935ac5e482dc

        SHA1

        7f211e26294fb8e3159844346af9227f36882ddf

        SHA256

        cad86b30af60993e71ca71eaa90fb8ce192d5769cc0508bac821801706f681ec

        SHA512

        cd55e8e84b43187e0d7f2da92afadf32049a998d0275e082d5b179ea9b75a3e8431ac946cb9b6ebf59f87dcfe57b7536ddae7e736460caacd63e57aaa783e952

        Download Submit

      • C:\Windows\System\svchost.exe
        Filesize

        5.2MB

        MD5

        5fd3d21a968f4b8a1577b5405ab1c36a

        SHA1

        710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

        SHA256

        7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

        SHA512

        085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

        Download Submit

      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        4KB

        MD5

        dbbd2d4458d7e8094846420da595dfc3

        SHA1

        267cb47b904f14a519d2bd73abfdb30e1a06e1a6

        SHA256

        e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

        SHA512

        480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

        Download Submit

      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        f2dd68ab8e611f0143c6ad176f223ae9

        SHA1

        30f580175773f251a9572fe757de6eaef6844abc

        SHA256

        f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

        SHA512

        f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

        Download Submit

      • memory/1124-130-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1124-133-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1124-189-0x000000002BCA0000-0x000000002C182000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1124-250-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1380-42-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1380-55-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1380-127-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1380-74-0x0000000031C90000-0x0000000032172000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1944-0-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1944-43-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1944-24-0x0000000140000000-0x0000000140636000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2016-33-0x00007FF8507D0000-0x00007FF851292000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2016-11-0x00000216A87F0000-0x00000216A8800000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2016-22-0x00000216A87F0000-0x00000216A8800000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2016-7-0x00000216A8900000-0x00000216A8922000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2016-10-0x00007FF8507D0000-0x00007FF851292000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2016-25-0x00000216A87F0000-0x00000216A8800000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2016-26-0x00000216A87F0000-0x00000216A8800000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2212-177-0x0000021AD5F40000-0x0000021AD5F5A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2212-153-0x0000021ABD320000-0x0000021ABD330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2212-178-0x0000021AD5EF0000-0x0000021AD5EF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2212-179-0x0000021AD5F20000-0x0000021AD5F26000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2212-164-0x0000021AD5CD0000-0x0000021AD5D83000-memory.dmp

        Filesize

        716KB

        Download

      • memory/2212-188-0x00007FF850FE0000-0x00007FF851AA2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2212-181-0x0000021ABD320000-0x0000021ABD330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2212-163-0x00007FF430020000-0x00007FF430030000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2212-162-0x0000021AD5CB0000-0x0000021AD5CCC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2212-131-0x00007FF850FE0000-0x00007FF851AA2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2212-132-0x0000021ABD320000-0x0000021ABD330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2364-176-0x0000026077480000-0x000002607748A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2364-134-0x00007FF850FE0000-0x00007FF851AA2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2364-135-0x0000026076D70000-0x0000026076D80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2364-174-0x00007FF48EF60000-0x00007FF48EF70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2364-152-0x0000026076D70000-0x0000026076D80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2364-187-0x00007FF850FE0000-0x00007FF851AA2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2364-175-0x00000260774A0000-0x00000260774BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2364-180-0x00000260774D0000-0x00000260774DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2364-173-0x0000026077320000-0x000002607732A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3168-23-0x000002981DA80000-0x000002981DA90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3168-29-0x00007FF8507D0000-0x00007FF851292000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3168-21-0x000002981DA80000-0x000002981DA90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3168-20-0x00007FF8507D0000-0x00007FF851292000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4236-125-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4236-128-0x0000000140000000-0x000000014015E400-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4284-46-0x000001DA1AB30000-0x000001DA1AB40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-44-0x00007FF850640000-0x00007FF851102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4284-72-0x00007FF850640000-0x00007FF851102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4284-45-0x000001DA1AB30000-0x000001DA1AB40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4292-67-0x0000023B6D5A0000-0x0000023B6D5B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4292-56-0x00007FF850640000-0x00007FF851102000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4292-57-0x0000023B6D5A0000-0x0000023B6D5B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4292-68-0x0000023B6D5A0000-0x0000023B6D5B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4292-73-0x00007FF850640000-0x00007FF851102000-memory.dmp

        Filesize

        10.8MB

        Download