Analysis
-
max time kernel
65s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 11:29
Behavioral task
behavioral1
Sample
scvhost.exe
Resource
win7-20240611-en
General
-
Target
scvhost.exe
-
Size
61KB
-
MD5
409c4205d1119c67e3ed65c16f9b71c7
-
SHA1
2dd6c500f1bc16e59764cd1ac13642463efa52e7
-
SHA256
924d8102157fd6dbcda4cac2b035be62d8aeeb3e3d8d5bea167989a33d0141fd
-
SHA512
1de55f5dd34b546078130cb5619295113200d7fc254ef32573db256ece2ebc89181ff0cb92900617728f04a11d688d9b4bbd32b3152d1a66c9d93a206d1d135d
-
SSDEEP
768:gDifR2nzIdDiIp2PhtWZRYs/b1NnW9bnj5jWzNd6RuhO0utthei4Jq8Z:d2sdgh4b/b7835aJd6gO0at43J9
Malware Config
Extracted
xworm
gift-scientists.gl.at.ply.gg:20443
-
Install_directory
%AppData%
-
install_file
scvhost.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1252-1-0x00000000003B0000-0x00000000003C6000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\scvhost.exe family_xworm behavioral1/memory/1584-34-0x0000000000920000-0x0000000000936000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2296 powershell.exe 2608 powershell.exe 2736 powershell.exe 264 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
scvhost.exepid process 1584 scvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
scvhost.exepid process 1252 scvhost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2296 powershell.exe 2608 powershell.exe 2736 powershell.exe 264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
scvhost.exepowershell.exepowershell.exepowershell.exepowershell.exescvhost.exedescription pid process Token: SeDebugPrivilege 1252 scvhost.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 1252 scvhost.exe Token: SeDebugPrivilege 1584 scvhost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
scvhost.exetaskeng.exedescription pid process target process PID 1252 wrote to memory of 2296 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2296 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2296 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2608 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2608 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2608 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2736 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2736 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2736 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 264 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 264 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 264 1252 scvhost.exe powershell.exe PID 1252 wrote to memory of 2004 1252 scvhost.exe schtasks.exe PID 1252 wrote to memory of 2004 1252 scvhost.exe schtasks.exe PID 1252 wrote to memory of 2004 1252 scvhost.exe schtasks.exe PID 308 wrote to memory of 1584 308 taskeng.exe scvhost.exe PID 308 wrote to memory of 1584 308 taskeng.exe scvhost.exe PID 308 wrote to memory of 1584 308 taskeng.exe scvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\scvhost.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\AppData\Roaming\scvhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2004
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2824
-
C:\Windows\system32\taskeng.exetaskeng.exe {102AA688-8D4D-4E37-A2B5-F1A3961AB618} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Roaming\scvhost.exeC:\Users\Admin\AppData\Roaming\scvhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dbc20fee0125584009d8709f620b7764
SHA1c376d243dd954918c46c8119c59ad1ecc4df9da2
SHA256235ef57319d903c4d01f0ee5a1af4779e1306d35b4a8036bad093d0256e7f8d1
SHA5122174cc258f0e2cc935d34978d756948b8c0b48bb38fb6063adc4c42d66b35e83666ad21e4d77e739b93d9b5bb58d794b5449f36e46da0b84cb2bcb4a7214102a
-
Filesize
61KB
MD5409c4205d1119c67e3ed65c16f9b71c7
SHA12dd6c500f1bc16e59764cd1ac13642463efa52e7
SHA256924d8102157fd6dbcda4cac2b035be62d8aeeb3e3d8d5bea167989a33d0141fd
SHA5121de55f5dd34b546078130cb5619295113200d7fc254ef32573db256ece2ebc89181ff0cb92900617728f04a11d688d9b4bbd32b3152d1a66c9d93a206d1d135d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e