Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22-06-2024 14:24

General

  • Target

    svchost.exe

  • Size

    178KB

  • MD5

    8c5888968cfdb6a017ee0e480e958321

  • SHA1

    7b44a84ed6544709cac184ccc9c901157b0ed76a

  • SHA256

    ce78bc90ee00ff4ba34b9a98c6cc88f55d93a3ac3366bb587421f4e55f4f86ad

  • SHA512

    631f04864b4d1e746a6820d40f7ef450f8b026649ca4ed87d7702d4c2516c6f63ddbf5418dc0f5b0577a4a1a1c338ecdc6f2d582d0d8346d94b1faee9cce1065

  • SSDEEP

    3072:QrhzCyHoN36tHQviFCvoBnEfWl9zyaF9biYvMG4NpVq8BxFRzaqF+o2GQJ7/Jzqo:QMk9zhvMGgVqwlL

Score
7/10

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Discord.exe
      2⤵
      • Kills process with taskkill
      PID:876
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\c8c44b310a27434084a6764e7e90a2a5.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:3244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\c8c44b310a27434084a6764e7e90a2a5.txt

    Filesize

    2KB

    MD5

    32b0fe8f73a05f68dc10feef1bea16d9

    SHA1

    44d3ef03dfa8f1f462849c140049f98646d1beef

    SHA256

    f4eb5dbf434a5df65d7669a42f1b9130878b224a6c20dd8fa76d814de84586a9

    SHA512

    c16d2417d71da0cb2685b5a4b1cf224aae155e3b135b08b56747021644127f18fb81d45cd9d520714d6730f8b5045f4ae856afc2d9072eee06e14223daabfca1

  • memory/4240-0-0x0000000073FA1000-0x0000000073FA2000-memory.dmp

    Filesize

    4KB

  • memory/4240-1-0x0000000073FA0000-0x0000000074550000-memory.dmp

    Filesize

    5.7MB

  • memory/4240-2-0x0000000073FA0000-0x0000000074550000-memory.dmp

    Filesize

    5.7MB

  • memory/4240-6-0x0000000073FA0000-0x0000000074550000-memory.dmp

    Filesize

    5.7MB

  • memory/4240-7-0x0000000073FA0000-0x0000000074550000-memory.dmp

    Filesize

    5.7MB

  • memory/4240-8-0x0000000073FA0000-0x0000000074550000-memory.dmp

    Filesize

    5.7MB