Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2452
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:2916
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:2256
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1640
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:2876
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:2128
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2840
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      3b0953ee0b28152960c6b6ff3b4503f8

      SHA1

      ae47f4921df180fa8d486c90ec795b4244939ae6

      SHA256

      694fd21fa8cb615e880c0481f3418df1032424d3162dd651b253eb9581822d23

      SHA512

      2480ee8cf4840d6152ad75c38af8db0afee0b252bdc4276d747b9968b0605fafb0bfcfacfdb408d456b14d2a5b1aa448ad061ae4c142969dfa85b2083110fe56

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GJ0TWNJIK4OKU32MOW40.temp
      Filesize

      7KB

      MD5

      fe8ccb00265d0a0137728484e192eaef

      SHA1

      353f36ded9f375d5296c150af1af864594bbbe64

      SHA256

      4542989a65bb31c7cb3ea324bcfad2bb0e376aa68eb6dcb868a787a19eae94e7

      SHA512

      dfaaf70ad353fbcccdc5ede5e18f6d4d82d215333fad7869979e4061e6f88127a0973371b95b48d75893676ee77b903b46a66ee240ca36098379935595942b8a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
      Filesize

      2.7MB

      MD5

      27acfbf94480631e547b5cb508d9d4fb

      SHA1

      f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

      SHA256

      0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

      SHA512

      902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
      Filesize

      6.7MB

      MD5

      6e8d8695953484d9248e03b1fac25be6

      SHA1

      4a81190e26dd79ce729d78f7efb31f0e1cf98f9a

      SHA256

      bd2cd17ebe9d6de1e9f1a08d97d267c2d345271713c588b1fe214e708eb530ef

      SHA512

      ccac59892759f303876c7c542847b2484583fc040f5185b8002480efd22c3a5d8340c8e0ea6646d1477a708f5a2206f62ef420c63c2b43b33e798bb3966d542c

      Download Submit

    • \Windows\system\svchost.exe
      Filesize

      5.2MB

      MD5

      5fd3d21a968f4b8a1577b5405ab1c36a

      SHA1

      710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

      SHA256

      7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

      SHA512

      085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

      Download Submit

    • memory/1392-0-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1392-25-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1392-38-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1392-36-0x000000001F160000-0x000000001F796000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1392-35-0x000000001F160000-0x000000001F796000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1820-63-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1820-37-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1820-64-0x000000001A000000-0x000000001A4E2000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1964-55-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1964-56-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1964-62-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1964-60-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1964-58-0x00000000028D0000-0x0000000002950000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2480-16-0x00000000026E0000-0x0000000002760000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2480-23-0x00000000026E0000-0x0000000002760000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2480-18-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2480-21-0x00000000026E0000-0x0000000002760000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2480-24-0x00000000026EB000-0x0000000002752000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2480-10-0x000000001B1A0000-0x000000001B482000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2480-19-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2480-11-0x00000000024E0000-0x00000000024E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2480-15-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2660-12-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2660-22-0x000000000242B000-0x0000000002492000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2660-14-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2660-13-0x0000000002420000-0x00000000024A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2660-17-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2660-20-0x0000000002424000-0x0000000002427000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2840-45-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2840-59-0x000000000248B000-0x00000000024F2000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2840-57-0x0000000002484000-0x0000000002487000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2840-61-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2840-54-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-53-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2840-47-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2840-46-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2840-44-0x000000001B360000-0x000000001B642000-memory.dmp

      Filesize

      2.9MB

      Download