Resubmissions
12-04-2024 13:32
240412-qtgfpsag84 812-04-2024 13:32
240412-qtc4aaag83 812-04-2024 13:32
240412-qtcshsag82 812-04-2024 13:32
240412-qtb6zsag79 812-04-2024 13:32
240412-qtbkfsdh4s 809-04-2024 05:34
240409-f9mmjsbc9t 809-04-2024 05:33
240409-f9bkaabc8w 809-04-2024 05:33
240409-f86n2abc71 809-04-2024 05:33
240409-f8wh3afh27 801-02-2024 11:29
240201-nlq9tsebck 10Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
12-04-2024 13:32
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Timer"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b40635fab6f3ef987ba9c68f41427fce
SHA14917cc265414a055170e4e02ce07b86530072491
SHA256c88b1af52e758a397f08a8aff7ad1ad0a4be45a5cbdb0de822195b06bdcc70a7
SHA512eb9508d026d4b42b2ade74317a994647e99698aa8fb6080dc94360a07d20c69c0fd80c416556b247db84ae1ff1131636dfe8ddeddc59e1c95865228f92f1233f
-
Filesize
7KB
MD528f15c9facfbbb3f7ac6e47bbb7d21fc
SHA11aca8153a6fb86b02ba40c15224bf1c5bda67e4d
SHA2567e42ae8a420a3b47b5f438bf191e294861fdf6c96e9be44091c47ff20bd98cb6
SHA5124b2331b7f8926f5e5d55e26219ac77b1cf64f6a1e5066c298812b841b37d526eaa313d1ae168534c88350b3996e8cae0106fec1d51c561794890fa6d86a396af
-
Filesize
2.7MB
MD527acfbf94480631e547b5cb508d9d4fb
SHA1f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c
SHA2560fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e
SHA512902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929
-
Filesize
11.3MB
MD56fc7570dd20b0dc7c73e25f650ef09a2
SHA19ff963326fc4d5623182e5497b549870818f50b6
SHA256764e8c47cfc31233ce2e53fdf1a8b43d40638d23e7d92237c3a2c3914f87dd57
SHA5127ceed17a16a893c549bdb80f9e80af8887fe62fdeff9a420900439e86a664f65eb537196a51c4c43744c94b6724a156b8b1ea6c5991560219ee9b56c03387783
-
Filesize
5.2MB
MD55fd3d21a968f4b8a1577b5405ab1c36a
SHA1710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA2567ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
Filesize
6.2MB
-
Filesize
4.9MB
-
Filesize
6.2MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
12KB
-
Filesize
6.2MB
-
Filesize
6.2MB
-
Filesize
6.2MB
-
Filesize
6.2MB
-
Filesize
6.2MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
12KB
-
Filesize
32KB
-
Filesize
12KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
2.9MB