Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1472
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:4696
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:3652
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:3272
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4992
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:4476
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:4776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4360
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      34f595487e6bfd1d11c7de88ee50356a

      SHA1

      4caad088c15766cc0fa1f42009260e9a02f953bb

      SHA256

      0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

      SHA512

      10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ontyievy.tny.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
      Filesize

      2.7MB

      MD5

      27acfbf94480631e547b5cb508d9d4fb

      SHA1

      f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

      SHA256

      0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

      SHA512

      902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
      Filesize

      5.9MB

      MD5

      0ca0ce644ff9308338e6871a63a95619

      SHA1

      39fcb5668f1208899d339995616691d259b97a07

      SHA256

      8f17b67b11c9aa5714959c944586a822d2cdd03504ab859370229d35055dfbf0

      SHA512

      bafc714753e7d2a62bf1129b65f25b0234d6cc0ba2e162efeea119f49d7661223a9b0724bc4b6c682dbf0a2d8cc8cffdf810488d0979709f9a7d3d1398fb01fe

      Download Submit

    • C:\Windows\System\svchost.exe
      Filesize

      5.2MB

      MD5

      5fd3d21a968f4b8a1577b5405ab1c36a

      SHA1

      710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

      SHA256

      7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

      SHA512

      085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

      Download Submit

    • memory/1508-41-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1508-0-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1508-16-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2012-31-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2012-26-0x000001E624B10000-0x000001E624B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2012-15-0x000001E624B10000-0x000001E624B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2012-14-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2016-28-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2016-13-0x000001D2B32A0000-0x000001D2B32B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2016-12-0x000001D2B32A0000-0x000001D2B32B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2016-11-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2016-6-0x000001D2B3250000-0x000001D2B3272000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2844-40-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2844-55-0x0000000140000000-0x0000000140636000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2844-73-0x0000000031C20000-0x0000000032102000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3576-56-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3576-66-0x0000019C30C30000-0x0000019C30C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3576-67-0x0000019C30C30000-0x0000019C30C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3576-72-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4360-69-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4360-44-0x0000024E221F0000-0x0000024E22200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4360-43-0x0000024E221F0000-0x0000024E22200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4360-42-0x00007FFA841D0000-0x00007FFA84C91000-memory.dmp

      Filesize

      10.8MB

      Download