Analysis Overview
SHA256
042fb46c57a37d6e3a96aa82bc30e294ef04d43487ebfd80c81766d37c2a5fbe
Threat Level: Known bad
The file svchost.exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
Checks computer location settings
Executes dropped EXE
UPX packed file
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-28 16:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 16:11
Reported
2024-05-28 16:12
Platform
win10-20240404-en
Max time kernel
59s
Max time network
38s
Command Line
Signatures
BitRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exeĀ" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe耀" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe픀" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4920 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 4920 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 4920 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| IT | 158.58.168.61:1337 | tcp | |
| IT | 158.58.168.61:1337 | tcp |
Files
memory/4920-0-0x0000000000400000-0x00000000015F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | b37ec293e5bcb580d448da4965dffd54 |
| SHA1 | 47b36a89cab289178f6d2ffd123ac0ca8431f0e8 |
| SHA256 | 29556061e8bf4bc3805e4b52abae0b12b7ca445a5b792d3daa19bcf30aa3966e |
| SHA512 | 3358f3b8f1b42aa680075af9388906f0e93cb1cd4cc5ab15a9a07df61a1604e2e53d2acf3212c53613debf156e5d21680e7ba0ad52237006c29f877b04a23371 |
memory/3608-31-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3608-32-0x0000000074380000-0x00000000743BA000-memory.dmp
memory/3608-33-0x0000000074350000-0x000000007438A000-memory.dmp
memory/3608-34-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3608-35-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3608-37-0x0000000074350000-0x000000007438A000-memory.dmp
memory/3608-38-0x0000000000400000-0x00000000007E4000-memory.dmp