Analysis
-
max time kernel
296s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-04-2024 17:13
Static task
static1
Behavioral task
behavioral1
Sample
sccvhost.exe
Resource
win10-20240404-en
General
-
Target
sccvhost.exe
-
Size
40KB
-
MD5
b0031898d56e40acd184e475fac4452a
-
SHA1
2205d8183cc609a974c2bde8476d303cb280c9a5
-
SHA256
c52435aca4820212d60f1715d1a77ea8e5b69673bdbc1392b2441c0148a3e012
-
SHA512
8ff1800a975a1a97204f727d4db3a3f32fa0d9d688465fa9eebc3377926dc7f76420d32623f41977be1aa8fbf0bdccff83171fcba359a919ae85c72db9c1d059
-
SSDEEP
768:kBKLuVaHB2SZ93yrS3Y29WRskU9EIoz1QB6SYK1vrRjdFxY:kBKXerSInM9I1QozK1ljdFxY
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
$77sccvhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" $77sccvhost.exe -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4756-97-0x0000000000E90000-0x0000000000EBA000-memory.dmp family_stormkitty -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4664 attrib.exe 2436 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
$77sccvhost.exepid process 4756 $77sccvhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sccvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\scvhost\\$77sccvhost.exe\"" sccvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
$77sccvhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList $77sccvhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts $77sccvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3056 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
$77sccvhost.exepid process 4756 $77sccvhost.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
sccvhost.exepowershell.exe$77sccvhost.exepid process 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 804 sccvhost.exe 4140 powershell.exe 4140 powershell.exe 4140 powershell.exe 4756 $77sccvhost.exe 4756 $77sccvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
$77sccvhost.exepid process 4756 $77sccvhost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
sccvhost.exe$77sccvhost.exepowershell.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 804 sccvhost.exe Token: SeDebugPrivilege 4756 $77sccvhost.exe Token: SeDebugPrivilege 4140 powershell.exe Token: SeIncreaseQuotaPrivilege 4140 powershell.exe Token: SeSecurityPrivilege 4140 powershell.exe Token: SeTakeOwnershipPrivilege 4140 powershell.exe Token: SeLoadDriverPrivilege 4140 powershell.exe Token: SeSystemProfilePrivilege 4140 powershell.exe Token: SeSystemtimePrivilege 4140 powershell.exe Token: SeProfSingleProcessPrivilege 4140 powershell.exe Token: SeIncBasePriorityPrivilege 4140 powershell.exe Token: SeCreatePagefilePrivilege 4140 powershell.exe Token: SeBackupPrivilege 4140 powershell.exe Token: SeRestorePrivilege 4140 powershell.exe Token: SeShutdownPrivilege 4140 powershell.exe Token: SeDebugPrivilege 4140 powershell.exe Token: SeSystemEnvironmentPrivilege 4140 powershell.exe Token: SeRemoteShutdownPrivilege 4140 powershell.exe Token: SeUndockPrivilege 4140 powershell.exe Token: SeManageVolumePrivilege 4140 powershell.exe Token: 33 4140 powershell.exe Token: 34 4140 powershell.exe Token: 35 4140 powershell.exe Token: 36 4140 powershell.exe Token: 33 1584 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1584 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77sccvhost.exepid process 4756 $77sccvhost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
sccvhost.execmd.exe$77sccvhost.exedescription pid process target process PID 804 wrote to memory of 4664 804 sccvhost.exe attrib.exe PID 804 wrote to memory of 4664 804 sccvhost.exe attrib.exe PID 804 wrote to memory of 2436 804 sccvhost.exe attrib.exe PID 804 wrote to memory of 2436 804 sccvhost.exe attrib.exe PID 804 wrote to memory of 4900 804 sccvhost.exe cmd.exe PID 804 wrote to memory of 4900 804 sccvhost.exe cmd.exe PID 4900 wrote to memory of 3056 4900 cmd.exe timeout.exe PID 4900 wrote to memory of 3056 4900 cmd.exe timeout.exe PID 4900 wrote to memory of 4756 4900 cmd.exe $77sccvhost.exe PID 4900 wrote to memory of 4756 4900 cmd.exe $77sccvhost.exe PID 4756 wrote to memory of 3184 4756 $77sccvhost.exe schtasks.exe PID 4756 wrote to memory of 3184 4756 $77sccvhost.exe schtasks.exe PID 4756 wrote to memory of 1640 4756 $77sccvhost.exe schtasks.exe PID 4756 wrote to memory of 1640 4756 $77sccvhost.exe schtasks.exe PID 4756 wrote to memory of 216 4756 $77sccvhost.exe schtasks.exe PID 4756 wrote to memory of 216 4756 $77sccvhost.exe schtasks.exe PID 4756 wrote to memory of 4140 4756 $77sccvhost.exe powershell.exe PID 4756 wrote to memory of 4140 4756 $77sccvhost.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4664 attrib.exe 2436 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sccvhost.exe"C:\Users\Admin\AppData\Local\Temp\sccvhost.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\scvhost"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD5FD.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe"C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe"3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77sccvhost.exe4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77sccvhost.exe" /TR "C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exe \"\$77sccvhost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77sccvhost.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3801⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4iipilh.s1n.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\tmpD5FD.tmp.batFilesize
163B
MD50b820bab41583a8f3bec26180782a125
SHA1273f3dc5b58470ae13aa0bfa5ac4e8b9ec2b94d2
SHA2563dfd44528859057b0f70a1a6236a926f7115fcc075706cfab61566d62b986b78
SHA512986695b512dfe6f5c9407e83d171678b63f2e9581f7cc50a3bc3df209d032346b4ab190ca561caf63766bb7746ac032211a7c73f4d3a9954e42450e0a57077cf
-
C:\Users\Admin\AppData\Roaming\scvhost\$77sccvhost.exeFilesize
40KB
MD5b0031898d56e40acd184e475fac4452a
SHA12205d8183cc609a974c2bde8476d303cb280c9a5
SHA256c52435aca4820212d60f1715d1a77ea8e5b69673bdbc1392b2441c0148a3e012
SHA5128ff1800a975a1a97204f727d4db3a3f32fa0d9d688465fa9eebc3377926dc7f76420d32623f41977be1aa8fbf0bdccff83171fcba359a919ae85c72db9c1d059
-
memory/804-1-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmpFilesize
9.9MB
-
memory/804-2-0x0000000001120000-0x0000000001130000-memory.dmpFilesize
64KB
-
memory/804-4-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmpFilesize
9.9MB
-
memory/804-9-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmpFilesize
9.9MB
-
memory/804-0-0x0000000000210000-0x000000000021E000-memory.dmpFilesize
56KB
-
memory/4140-73-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmpFilesize
9.9MB
-
memory/4140-17-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmpFilesize
9.9MB
-
memory/4140-18-0x0000020DE66F0000-0x0000020DE6700000-memory.dmpFilesize
64KB
-
memory/4140-19-0x0000020DE66F0000-0x0000020DE6700000-memory.dmpFilesize
64KB
-
memory/4140-20-0x0000020DE67E0000-0x0000020DE6802000-memory.dmpFilesize
136KB
-
memory/4140-23-0x0000020DE6910000-0x0000020DE6986000-memory.dmpFilesize
472KB
-
memory/4140-59-0x0000020DE66F0000-0x0000020DE6700000-memory.dmpFilesize
64KB
-
memory/4140-36-0x0000020DE66F0000-0x0000020DE6700000-memory.dmpFilesize
64KB
-
memory/4756-74-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmpFilesize
9.9MB
-
memory/4756-83-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-11-0x00007FFBAF280000-0x00007FFBAFC6C000-memory.dmpFilesize
9.9MB
-
memory/4756-75-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-76-0x000000001D2F0000-0x000000001D300000-memory.dmpFilesize
64KB
-
memory/4756-77-0x0000000001330000-0x0000000001340000-memory.dmpFilesize
64KB
-
memory/4756-78-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-79-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-80-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-81-0x0000000001380000-0x000000000138E000-memory.dmpFilesize
56KB
-
memory/4756-82-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-12-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-84-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/4756-85-0x00000000015D0000-0x00000000015F2000-memory.dmpFilesize
136KB
-
memory/4756-86-0x00000000015F0000-0x0000000001610000-memory.dmpFilesize
128KB
-
memory/4756-87-0x000000001E7D0000-0x000000001E87A000-memory.dmpFilesize
680KB
-
memory/4756-93-0x000000001D430000-0x000000001D448000-memory.dmpFilesize
96KB
-
memory/4756-94-0x0000000000CE0000-0x0000000000CF2000-memory.dmpFilesize
72KB
-
memory/4756-95-0x0000000000CF0000-0x0000000000D00000-memory.dmpFilesize
64KB
-
memory/4756-96-0x0000000000D00000-0x0000000000E86000-memory.dmpFilesize
1.5MB
-
memory/4756-97-0x0000000000E90000-0x0000000000EBA000-memory.dmpFilesize
168KB
-
memory/4756-98-0x0000000000EC0000-0x0000000000EE0000-memory.dmpFilesize
128KB
-
memory/4756-99-0x0000000000EE0000-0x0000000000EEE000-memory.dmpFilesize
56KB