Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-06-2024 14:24
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10-20240404-en
General
-
Target
svchost.exe
-
Size
178KB
-
MD5
8c5888968cfdb6a017ee0e480e958321
-
SHA1
7b44a84ed6544709cac184ccc9c901157b0ed76a
-
SHA256
ce78bc90ee00ff4ba34b9a98c6cc88f55d93a3ac3366bb587421f4e55f4f86ad
-
SHA512
631f04864b4d1e746a6820d40f7ef450f8b026649ca4ed87d7702d4c2516c6f63ddbf5418dc0f5b0577a4a1a1c338ecdc6f2d582d0d8346d94b1faee9cce1065
-
SSDEEP
3072:QrhzCyHoN36tHQviFCvoBnEfWl9zyaF9biYvMG4NpVq8BxFRzaqF+o2GQJ7/Jzqo:QMk9zhvMGgVqwlL
Malware Config
Signatures
-
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.url svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 876 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3244 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe 4240 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe Token: 33 4240 svchost.exe Token: SeIncBasePriorityPrivilege 4240 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
svchost.exedescription pid process target process PID 4240 wrote to memory of 876 4240 svchost.exe taskkill.exe PID 4240 wrote to memory of 876 4240 svchost.exe taskkill.exe PID 4240 wrote to memory of 876 4240 svchost.exe taskkill.exe PID 4240 wrote to memory of 3244 4240 svchost.exe NOTEPAD.EXE PID 4240 wrote to memory of 3244 4240 svchost.exe NOTEPAD.EXE PID 4240 wrote to memory of 3244 4240 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f im Discord.exe2⤵
- Kills process with taskkill
PID:876 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\c8c44b310a27434084a6764e7e90a2a5.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD532b0fe8f73a05f68dc10feef1bea16d9
SHA144d3ef03dfa8f1f462849c140049f98646d1beef
SHA256f4eb5dbf434a5df65d7669a42f1b9130878b224a6c20dd8fa76d814de84586a9
SHA512c16d2417d71da0cb2685b5a4b1cf224aae155e3b135b08b56747021644127f18fb81d45cd9d520714d6730f8b5045f4ae856afc2d9072eee06e14223daabfca1