Analysis
-
max time kernel
126s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20231129-en
General
-
Target
svchost.exe
-
Size
749KB
-
MD5
a6479dae68115fad0a37c5fb33becf99
-
SHA1
398663b27c9297a884c800aa64916c976638a036
-
SHA256
441e25c74a8c10b804e0c7f2ffa803b1055c8cddec79e7d70270efb4857e18eb
-
SHA512
aa3dc1b98aa53708a2b9834fb3dc0585ae5deffa168fe65d2aff3d80f4b0849c41d3cbd37e306ac6bfbfe5689e8c625828c93453fd21d5f7ecc0b16ad85f7452
-
SSDEEP
12288:Cv2E2CrJF9srANfrX8QoN2e9YxzKapgg3e8SIa+9j8CfL6qd8kAXDbvDYD:jE2CrJdNfjrfJ+aX3e8DaOj8wL6e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lsass.exepid process 2696 lsass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files\Microsoft Office\Office14\6203df4a6bafc7 svchost.exe File created C:\Program Files\Windows Journal\explorer.exe svchost.exe File opened for modification C:\Program Files\Windows Journal\explorer.exe svchost.exe File created C:\Program Files\Windows Journal\7a0fd90576e088 svchost.exe File created C:\Program Files\Microsoft Office\Office14\lsass.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 2696 lsass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exelsass.exedescription pid process Token: SeDebugPrivilege 952 svchost.exe Token: SeDebugPrivilege 2696 lsass.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
svchost.execmd.exedescription pid process target process PID 952 wrote to memory of 2908 952 svchost.exe cmd.exe PID 952 wrote to memory of 2908 952 svchost.exe cmd.exe PID 952 wrote to memory of 2908 952 svchost.exe cmd.exe PID 2908 wrote to memory of 2576 2908 cmd.exe chcp.com PID 2908 wrote to memory of 2576 2908 cmd.exe chcp.com PID 2908 wrote to memory of 2576 2908 cmd.exe chcp.com PID 2908 wrote to memory of 2580 2908 cmd.exe PING.EXE PID 2908 wrote to memory of 2580 2908 cmd.exe PING.EXE PID 2908 wrote to memory of 2580 2908 cmd.exe PING.EXE PID 2908 wrote to memory of 2696 2908 cmd.exe lsass.exe PID 2908 wrote to memory of 2696 2908 cmd.exe lsass.exe PID 2908 wrote to memory of 2696 2908 cmd.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ALa1osXjCG.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2576
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2580 -
C:\Program Files\Microsoft Office\Office14\lsass.exe"C:\Program Files\Microsoft Office\Office14\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exeFilesize
749KB
MD5a6479dae68115fad0a37c5fb33becf99
SHA1398663b27c9297a884c800aa64916c976638a036
SHA256441e25c74a8c10b804e0c7f2ffa803b1055c8cddec79e7d70270efb4857e18eb
SHA512aa3dc1b98aa53708a2b9834fb3dc0585ae5deffa168fe65d2aff3d80f4b0849c41d3cbd37e306ac6bfbfe5689e8c625828c93453fd21d5f7ecc0b16ad85f7452
-
C:\Users\Admin\AppData\Local\Temp\ALa1osXjCG.batFilesize
180B
MD5edcc387495152daf25bd4904d04f209c
SHA165a8993019669007da21d48bf88e8906a55692a3
SHA256ef60c89c2415929cabdb0f525833220cf813bf9249a6655bc8d22ff9061c1e72
SHA512a078e955d3c7aee897f8591383f3aab4e3462b965395aea44e0a74519982ddb436205348194576b6656138a6555fd3d688682686fba0e2f5a13c103a7dd7b2e9
-
memory/952-4-0x000000001B0E0000-0x000000001B160000-memory.dmpFilesize
512KB
-
memory/952-13-0x0000000077600000-0x0000000077601000-memory.dmpFilesize
4KB
-
memory/952-0-0x0000000001280000-0x0000000001342000-memory.dmpFilesize
776KB
-
memory/952-6-0x0000000000C80000-0x0000000000C8E000-memory.dmpFilesize
56KB
-
memory/952-7-0x0000000077620000-0x0000000077621000-memory.dmpFilesize
4KB
-
memory/952-9-0x0000000000CB0000-0x0000000000CCC000-memory.dmpFilesize
112KB
-
memory/952-10-0x0000000077610000-0x0000000077611000-memory.dmpFilesize
4KB
-
memory/952-2-0x0000000000A10000-0x0000000000ACE000-memory.dmpFilesize
760KB
-
memory/952-12-0x0000000000D60000-0x0000000000D78000-memory.dmpFilesize
96KB
-
memory/952-3-0x0000000077850000-0x00000000779F9000-memory.dmpFilesize
1.7MB
-
memory/952-1-0x000007FEF5B80000-0x000007FEF656C000-memory.dmpFilesize
9.9MB
-
memory/952-29-0x000007FEF5B80000-0x000007FEF656C000-memory.dmpFilesize
9.9MB
-
memory/952-31-0x0000000077850000-0x00000000779F9000-memory.dmpFilesize
1.7MB
-
memory/2696-35-0x0000000001150000-0x0000000001212000-memory.dmpFilesize
776KB