Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 23:17
Behavioral task
behavioral1
Sample
svchost (2).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
svchost (2).exe
Resource
win10v2004-20240412-en
General
-
Target
svchost (2).exe
-
Size
37KB
-
MD5
4b35f87adde9db4df4775e739743c59c
-
SHA1
fee7574a5f039051dcb2d63fa8cdf94e61558b35
-
SHA256
7395078c587f6da109eaead4135c47967babf6ffb93509f0a15e60eedbc7f8f2
-
SHA512
e144ffd9ffe089712465f1b89178e6804d4b3b8aec04e8b0b30d231797aef9d4c735acc8aab0c622e6873ef07095b259ef87fc70a4174dd07d578ed668a6260e
-
SSDEEP
384:Ad8TgiG1CnZfursvO6ysz6jIvxATH2DirAF+rMRTyN/0L+EcoinblneHQM3epzXW:W8H5Wpsz6jIWD2GrM+rMRa8Nubl2t
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3880 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost (2).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation svchost (2).exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4868 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f6f9a84d017975575db803dfc5b5c146 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f6f9a84d017975575db803dfc5b5c146 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe 4868 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 4868 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 2436 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2436 AUDIODG.EXE Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe Token: 33 4868 svchost.exe Token: SeIncBasePriorityPrivilege 4868 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
svchost (2).exesvchost.exedescription pid process target process PID 1028 wrote to memory of 4868 1028 svchost (2).exe svchost.exe PID 1028 wrote to memory of 4868 1028 svchost (2).exe svchost.exe PID 1028 wrote to memory of 4868 1028 svchost (2).exe svchost.exe PID 4868 wrote to memory of 3880 4868 svchost.exe netsh.exe PID 4868 wrote to memory of 3880 4868 svchost.exe netsh.exe PID 4868 wrote to memory of 3880 4868 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost (2).exe"C:\Users\Admin\AppData\Local\Temp\svchost (2).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f0 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
37KB
MD54b35f87adde9db4df4775e739743c59c
SHA1fee7574a5f039051dcb2d63fa8cdf94e61558b35
SHA2567395078c587f6da109eaead4135c47967babf6ffb93509f0a15e60eedbc7f8f2
SHA512e144ffd9ffe089712465f1b89178e6804d4b3b8aec04e8b0b30d231797aef9d4c735acc8aab0c622e6873ef07095b259ef87fc70a4174dd07d578ed668a6260e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_AF9BB8FA83E244339D6854C1F8FD92E1.datFilesize
940B
MD57f005a1cb7bfd1a25f051608de8afae8
SHA11f5380979045d9299f5f1b09892356b387567f66
SHA2562ebb12ae4fb2544e06647456ceb0d8c9ea1bc3b8c5f980cd581a9ff12d9758cb
SHA5128a48e727599e1b7369cd38c4c67257c128ae538ce6b6504d74ae75ddf598edf318cd9f7e3d2940ab53eea6e81428159ae839e6d4f2a13842dc0537e4647fb05c
-
memory/1028-0-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1028-1-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1028-2-0x0000000000B80000-0x0000000000B90000-memory.dmpFilesize
64KB
-
memory/1028-12-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4868-13-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4868-14-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4868-15-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB