svchost[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

svchost.exe
Size

4.2MB
MD5

07eee2d65cb99c85d220c3e4f515309b
SHA1

5d8e6659d2d8d7243e07c3aae09e4b3f3e21455b
SHA256

63aab0e12457f7c8de3c9ea2fbed64c389c6be2737a54475ab8582728ee4eb09
SHA512

a5b493efd9a615ad5decc8b8a44f21d217e7ca6c4a0b6c83aa17ea685fbff9876ed1b77927a405e4cced2ca7b70d2f9dc9e6001067731d7065b7fede1d768898
SSDEEP

49152:av3gkoJsXSgNP0knh/qNwffAj3g/bTqSk6znmh:av30S/lgQ/6S

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
svchost.exe

Files

svchost.exe
.dll windows:6 windows x64 arch:x64

aee4344acd91a046e1111f2cd7c82016

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

jvm

gHotSpotVMIntConstants
gHotSpotVMLongConstants
gHotSpotVMStructs
JNI_GetCreatedJavaVMs
gHotSpotVMTypes

opengl32

wglCreateContext
wglGetCurrentContext
wglDeleteContext
wglMakeCurrent

kernel32

MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
LoadLibraryA
GetProcAddress
FreeLibrary
GetModuleHandleA
GetLocaleInfoA
QueryPerformanceFrequency
VerSetConditionMask
GetModuleHandleW
QueryPerformanceCounter
GetLastError
FreeConsole
VirtualProtect
VirtualFree
VirtualAlloc
GetCurrentProcess
K32GetModuleInformation
GetProcessId
CloseHandle
GetConsoleWindow
GetFileAttributesW
GetTempPathW
AreFileApisANSI
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
CreateFileW
GetLocaleInfoEx
LocalFree
FormatMessageA

user32

PostMessageA
GetAsyncKeyState
CallWindowProcA
WindowFromDC
GetClipCursor
ClipCursor
EnumWindows
MessageBoxA
GetWindowLongW
DefWindowProcW
GetWindowTextA
AdjustWindowRectEx
GetKeyState
GetMessageExtraInfo
DestroyWindow
GetDC
IsWindowVisible
GetWindow
GetWindowThreadProcessId
SetWindowLongPtrA
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
ReleaseDC
SetCursorPos
IsIconic
SetForegroundWindow
ReleaseCapture
IsWindowUnicode
GetClientRect
SetWindowLongW
SetCursor
SetCapture
LoadCursorW
BringWindowToTop
SetFocus
SetLayeredWindowAttributes
GetForegroundWindow
GetKeyboardLayout
TrackMouseEvent
IsChild
ClientToScreen
GetMonitorInfoW
GetCapture
ShowWindow
WindowFromPoint
RegisterClassExW
SetWindowTextW
UnregisterClassW
ScreenToClient
CreateWindowExW
SetWindowPos
MonitorFromWindow
SetWindowLongPtrW
EnumDisplayMonitors

gdi32

GetDeviceCaps

msvcp140

_Mtx_lock
?_Throw_C_error@std@@YAXH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
_Mtx_unlock
?ignore@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
_Thrd_join
_Thrd_detach
?_Xbad_function_call@std@@YAXXZ
_Thrd_id
_Query_perf_frequency
?clog@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Winerror_map@std@@YAHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Syserror_map@std@@YAPEBDH@Z
_Xtime_get_ticks
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A

imm32

ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

wininet

InternetOpenUrlW
InternetOpenW
HttpOpenRequestW
InternetCloseHandle
InternetConnectW
InternetReadFile
HttpSendRequestW

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
memcmp
__std_exception_copy
__std_terminate
strstr
memcpy
memset
memmove
__current_exception
__current_exception_context
__C_specific_handler
_CxxThrowException
__std_type_info_destroy_list
memchr

api-ms-win-crt-heap-l1-1-0

realloc
calloc
malloc
free
_callnewh

api-ms-win-crt-runtime-l1-1-0

terminate
exit
_errno
_invalid_parameter_noinfo_noreturn
_beginthreadex
_initterm_e
_initterm
_cexit
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll

api-ms-win-crt-stdio-l1-1-0

fclose
fflush
__stdio_common_vsprintf_s
fseek
_popen
fgets
_pclose
__acrt_iob_func
_get_stream_buffer_pointers
fsetpos
ungetc
setvbuf
fgetpos
fgetc
fputc
__stdio_common_vfprintf
_fseeki64
fwrite
_wfopen
__stdio_common_vsprintf
fread
__stdio_common_vsscanf
ftell

api-ms-win-crt-utility-l1-1-0

srand
rand
qsort

api-ms-win-crt-string-l1-1-0

strcmp
tolower
strncmp
strncpy

api-ms-win-crt-convert-l1-1-0

strtod
atof
strtol
strtoull
strtoll

api-ms-win-crt-filesystem-l1-1-0

remove
_lock_file
_unlock_file

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

atan
cosf
atan2f
fmodf
pow
atan2
sqrtf
powf
sin
sinf
_dclass
acosf
sqrt
ceilf
floor

Sections

.text
Size: 715KB - Virtual size: 714KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 101KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

aee4344acd91a046e1111f2cd7c82016

Headers

DLL Characteristics

File Characteristics

Imports

jvm

opengl32

kernel32

user32

gdi32

msvcp140

imm32

wininet

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 715KB - Virtual size: 714KB

.rdata Size: 3.3MB - Virtual size: 3.3MB

.data Size: 101KB - Virtual size: 140KB

.pdata Size: 27KB - Virtual size: 27KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 715KB - Virtual size: 714KB

.rdata
Size: 3.3MB - Virtual size: 3.3MB

.data
Size: 101KB - Virtual size: 140KB

.pdata
Size: 27KB - Virtual size: 27KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 5KB - Virtual size: 5KB