Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 23:17

General

  • Target

    svchost (2).exe

  • Size

    37KB

  • MD5

    4b35f87adde9db4df4775e739743c59c

  • SHA1

    fee7574a5f039051dcb2d63fa8cdf94e61558b35

  • SHA256

    7395078c587f6da109eaead4135c47967babf6ffb93509f0a15e60eedbc7f8f2

  • SHA512

    e144ffd9ffe089712465f1b89178e6804d4b3b8aec04e8b0b30d231797aef9d4c735acc8aab0c622e6873ef07095b259ef87fc70a4174dd07d578ed668a6260e

  • SSDEEP

    384:Ad8TgiG1CnZfursvO6ysz6jIvxATH2DirAF+rMRTyN/0L+EcoinblneHQM3epzXW:W8H5Wpsz6jIWD2GrM+rMRa8Nubl2t

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost (2).exe
    "C:\Users\Admin\AppData\Local\Temp\svchost (2).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:3880
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3f0 0x494
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    37KB

    MD5

    4b35f87adde9db4df4775e739743c59c

    SHA1

    fee7574a5f039051dcb2d63fa8cdf94e61558b35

    SHA256

    7395078c587f6da109eaead4135c47967babf6ffb93509f0a15e60eedbc7f8f2

    SHA512

    e144ffd9ffe089712465f1b89178e6804d4b3b8aec04e8b0b30d231797aef9d4c735acc8aab0c622e6873ef07095b259ef87fc70a4174dd07d578ed668a6260e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_AF9BB8FA83E244339D6854C1F8FD92E1.dat
    Filesize

    940B

    MD5

    7f005a1cb7bfd1a25f051608de8afae8

    SHA1

    1f5380979045d9299f5f1b09892356b387567f66

    SHA256

    2ebb12ae4fb2544e06647456ceb0d8c9ea1bc3b8c5f980cd581a9ff12d9758cb

    SHA512

    8a48e727599e1b7369cd38c4c67257c128ae538ce6b6504d74ae75ddf598edf318cd9f7e3d2940ab53eea6e81428159ae839e6d4f2a13842dc0537e4647fb05c

  • memory/1028-0-0x0000000074B90000-0x0000000075141000-memory.dmp
    Filesize

    5.7MB

  • memory/1028-1-0x0000000074B90000-0x0000000075141000-memory.dmp
    Filesize

    5.7MB

  • memory/1028-2-0x0000000000B80000-0x0000000000B90000-memory.dmp
    Filesize

    64KB

  • memory/1028-12-0x0000000074B90000-0x0000000075141000-memory.dmp
    Filesize

    5.7MB

  • memory/4868-13-0x0000000074B90000-0x0000000075141000-memory.dmp
    Filesize

    5.7MB

  • memory/4868-14-0x0000000074B90000-0x0000000075141000-memory.dmp
    Filesize

    5.7MB

  • memory/4868-15-0x0000000074B90000-0x0000000075141000-memory.dmp
    Filesize

    5.7MB