Analysis
-
max time kernel
133s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:23
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win11-20240508-en
General
-
Target
svchost.exe
-
Size
1.1MB
-
MD5
5bf9ee7d92c033665bbbe4cc83c6c8bd
-
SHA1
e763e34f50c83e1cf8c4be632993b8cec2ed193e
-
SHA256
f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4
-
SHA512
f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448
-
SSDEEP
24576:EQlWF5PC5xcbIdo20hVV58hCXeFnnw0uR7DF8A+dIJtFwwGf3xx7BzU:jnxcbOo28PeFcR7DF8YbGfL7BQ
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 1052 netsh.exe 1260 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a5f4311056a11b632f3449ff4bfd0e3.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a5f4311056a11b632f3449ff4bfd0e3.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3636 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3a5f4311056a11b632f3449ff4bfd0e3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a5f4311056a11b632f3449ff4bfd0e3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
svchost.exesvchost.exepid process 1384 svchost.exe 1384 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4120 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 3636 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
svchost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3636 svchost.exe Token: SeDebugPrivilege 4120 taskkill.exe Token: 33 3636 svchost.exe Token: SeIncBasePriorityPrivilege 3636 svchost.exe Token: 33 3636 svchost.exe Token: SeIncBasePriorityPrivilege 3636 svchost.exe Token: 33 3636 svchost.exe Token: SeIncBasePriorityPrivilege 3636 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
svchost.exesvchost.exepid process 1384 svchost.exe 3636 svchost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
svchost.exesvchost.execmd.exedescription pid process target process PID 1384 wrote to memory of 3636 1384 svchost.exe svchost.exe PID 1384 wrote to memory of 3636 1384 svchost.exe svchost.exe PID 1384 wrote to memory of 3636 1384 svchost.exe svchost.exe PID 3636 wrote to memory of 1260 3636 svchost.exe netsh.exe PID 3636 wrote to memory of 1260 3636 svchost.exe netsh.exe PID 3636 wrote to memory of 1260 3636 svchost.exe netsh.exe PID 3636 wrote to memory of 4120 3636 svchost.exe taskkill.exe PID 3636 wrote to memory of 4120 3636 svchost.exe taskkill.exe PID 3636 wrote to memory of 4120 3636 svchost.exe taskkill.exe PID 3636 wrote to memory of 1052 3636 svchost.exe netsh.exe PID 3636 wrote to memory of 1052 3636 svchost.exe netsh.exe PID 3636 wrote to memory of 1052 3636 svchost.exe netsh.exe PID 3636 wrote to memory of 2540 3636 svchost.exe cmd.exe PID 3636 wrote to memory of 2540 3636 svchost.exe cmd.exe PID 3636 wrote to memory of 2540 3636 svchost.exe cmd.exe PID 2540 wrote to memory of 1956 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 1956 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 1956 2540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1260 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM MsMpEng.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4120 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Modifies Windows Firewall
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Roaming\svchost.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\PING.EXEping 04⤵
- Runs ping.exe
PID:1956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:81⤵PID:4812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5da4fafeffe21b7cb3a8c170ca7911976
SHA150ef77e2451ab60f93f4db88325b897d215be5ad
SHA2567341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA5120bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6
-
Filesize
1.1MB
MD55bf9ee7d92c033665bbbe4cc83c6c8bd
SHA1e763e34f50c83e1cf8c4be632993b8cec2ed193e
SHA256f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4
SHA512f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448