Analysis
-
max time kernel
129s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 16:42
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10v2004-20240419-en
General
-
Target
svchost.exe
-
Size
749KB
-
MD5
a6479dae68115fad0a37c5fb33becf99
-
SHA1
398663b27c9297a884c800aa64916c976638a036
-
SHA256
441e25c74a8c10b804e0c7f2ffa803b1055c8cddec79e7d70270efb4857e18eb
-
SHA512
aa3dc1b98aa53708a2b9834fb3dc0585ae5deffa168fe65d2aff3d80f4b0849c41d3cbd37e306ac6bfbfe5689e8c625828c93453fd21d5f7ecc0b16ad85f7452
-
SSDEEP
12288:Cv2E2CrJF9srANfrX8QoN2e9YxzKapgg3e8SIa+9j8CfL6qd8kAXDbvDYD:jE2CrJdNfjrfJ+aX3e8DaOj8wL6e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sppsvc.exepid process 2488 sppsvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files\Windows Journal\explorer.exe svchost.exe File opened for modification C:\Program Files\Windows Journal\explorer.exe svchost.exe File created C:\Program Files\Windows Journal\7a0fd90576e088 svchost.exe File created C:\Program Files\Microsoft Games\lsass.exe svchost.exe File created C:\Program Files\Microsoft Games\6203df4a6bafc7 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
sppsvc.exepid process 2488 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe 2904 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sppsvc.exepid process 2488 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exesppsvc.exedescription pid process Token: SeDebugPrivilege 2904 svchost.exe Token: SeDebugPrivilege 2488 sppsvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
svchost.execmd.exedescription pid process target process PID 2904 wrote to memory of 2708 2904 svchost.exe cmd.exe PID 2904 wrote to memory of 2708 2904 svchost.exe cmd.exe PID 2904 wrote to memory of 2708 2904 svchost.exe cmd.exe PID 2708 wrote to memory of 2608 2708 cmd.exe chcp.com PID 2708 wrote to memory of 2608 2708 cmd.exe chcp.com PID 2708 wrote to memory of 2608 2708 cmd.exe chcp.com PID 2708 wrote to memory of 2596 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 2596 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 2596 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 2488 2708 cmd.exe sppsvc.exe PID 2708 wrote to memory of 2488 2708 cmd.exe sppsvc.exe PID 2708 wrote to memory of 2488 2708 cmd.exe sppsvc.exe PID 2708 wrote to memory of 2488 2708 cmd.exe sppsvc.exe PID 2708 wrote to memory of 2488 2708 cmd.exe sppsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BqNUrJv5SW.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe"C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\System.exeFilesize
749KB
MD5a6479dae68115fad0a37c5fb33becf99
SHA1398663b27c9297a884c800aa64916c976638a036
SHA256441e25c74a8c10b804e0c7f2ffa803b1055c8cddec79e7d70270efb4857e18eb
SHA512aa3dc1b98aa53708a2b9834fb3dc0585ae5deffa168fe65d2aff3d80f4b0849c41d3cbd37e306ac6bfbfe5689e8c625828c93453fd21d5f7ecc0b16ad85f7452
-
C:\Users\Admin\AppData\Local\Temp\BqNUrJv5SW.batFilesize
187B
MD5d4f1308767cfc85fa5f58f564f80d41c
SHA1f0d8edc935cce0e650fe1d37bf262ecf23808791
SHA256fc22d71b3f5a6db72bb42c9d3b05c605dfbe384deed94789c38191019927de88
SHA512e2bc17666ce349bac453e000a6cd9e8e79da1bc5a8bfc55bea3e66890f95dd8fcc82441b93051b5405d3ac86dbde1541fd5ae67f7f3153c191694f427ffb9acf
-
memory/2488-35-0x0000000000EC0000-0x0000000000F82000-memory.dmpFilesize
776KB
-
memory/2904-4-0x000000001B2D0000-0x000000001B350000-memory.dmpFilesize
512KB
-
memory/2904-0-0x0000000000090000-0x0000000000152000-memory.dmpFilesize
776KB
-
memory/2904-6-0x00000000775B0000-0x00000000775B1000-memory.dmpFilesize
4KB
-
memory/2904-7-0x0000000000260000-0x000000000026E000-memory.dmpFilesize
56KB
-
memory/2904-8-0x00000000775A0000-0x00000000775A1000-memory.dmpFilesize
4KB
-
memory/2904-10-0x0000000000310000-0x000000000032C000-memory.dmpFilesize
112KB
-
memory/2904-12-0x00000000005B0000-0x00000000005C8000-memory.dmpFilesize
96KB
-
memory/2904-13-0x0000000077590000-0x0000000077591000-memory.dmpFilesize
4KB
-
memory/2904-2-0x0000000000620000-0x00000000006DE000-memory.dmpFilesize
760KB
-
memory/2904-3-0x00000000777E0000-0x0000000077989000-memory.dmpFilesize
1.7MB
-
memory/2904-30-0x000007FEF5660000-0x000007FEF604C000-memory.dmpFilesize
9.9MB
-
memory/2904-31-0x00000000777E0000-0x0000000077989000-memory.dmpFilesize
1.7MB
-
memory/2904-1-0x000007FEF5660000-0x000007FEF604C000-memory.dmpFilesize
9.9MB