Overview

overview

10

Static

static

10

svchost.exe

windows7-x64

9

svchost.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    145KB

  • MD5

    5d0e0d8c39cd3e9cd530a226eb859020

  • SHA1

    8eb4534f812e5ef719eccd5b5bbc3cea0c86d01a

  • SHA256

    a71031f0dab50af58606e40c45a469d98a226ab53ede2d950da6445874b4bd12

  • SHA512

    c50bcc77befb2abd9190fd25a7e12370a88b461cf8ec3208d65f37a74f6d4a09293086eaf361e4a55dc58ba47155306fb851af1bb8f3ca21aa5187d30529d29b

  • SSDEEP

    1536:izICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD5bwnHm/1BviIdU/IqbNLu75RjJ:hqJogYkcSNm9V7D50nH2viI2xadRj1T

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (8281) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\ProgramData\D633.tmp
      "C:\ProgramData\D633.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D633.tmp >> NUL
        3⤵
          PID:1704
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:1596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini
        Filesize

        129B

        MD5

        b5a33661ec796aba12185d31c90eda72

        SHA1

        b94643789b220d93abe3603c3a3b4af5857647b9

        SHA256

        d9430c37674e249190e76ba3c418c6ba9e50396b9e069ea7b2df1de64423523f

        SHA512

        6909af56e2a802e972689cb50913846eaea12d21f4dfa463adc45c395d22f7cef7cff252973ce58b21bd9df74a50ac086d4be4d3b6b274da88e3842d204f212f

        Download Submit

      • C:\GO4nojG0Y.README.txt
        Filesize

        469B

        MD5

        1452389485b72f5b3b6fe32ef0048884

        SHA1

        32bdd628c5f5883ed8b1a725221a45630f09cf09

        SHA256

        ccb5dfd78313bf6a409d8d49c4470f5fc947a2967911af5b8e68d0eb0b6a7731

        SHA512

        b4a1a03de139d2a21966b1a7be952121a44382f7f24596a1018cb09b20ff4dca16901cad1a1a8a3d6c1587638950e66a3d97dbcf16597ec8090aa8557a0d360a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDD
        Filesize

        145KB

        MD5

        0081e212200a838c1e84661efeedcca3

        SHA1

        f6361534cd8768eac51361d4ddf6fa5bb63fb635

        SHA256

        f56143a231ab3eab879e4cf9f776feeee3f858946a561babed9bf51683ee4374

        SHA512

        4e1b9e0055bbfd4aebf540682088ea8827280bece5a9b41a1e76e9f056586ddf4bd57b61d2371c3375f48145e4c91415f5146895f4873b1ed1ab944c66d41db1

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        5400d9127a5decc3e4bb1db5dd352365

        SHA1

        77f5d817ca68267cfc876ed0d58e62d474776419

        SHA256

        76b11fc90ccbf0b173f65344f9d481ec64536da49c1db51b0b0ad0edb66a338b

        SHA512

        5e6383e0b0a34e4922ceaec491afbeac2e2bdf1043fb26bfc8019961aa7faa20bf6f2264e8e9726fb1f24cbdce726b25f3f009e337e298d062f6d65f101a966c

        Download Submit

      • \Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
        Filesize

        4.7MB

        MD5

        61bffb5f57ad12f83ab64b7181829b34

        SHA1

        945d94fef51e0db76c2fd95ee22ed2767be0fe0b

        SHA256

        1dd0dd35e4158f95765ee6639f217df03a0a19e624e020dba609268c08a13846

        SHA512

        e569639d3bb81a7b3bd46484ff4b8065d7fd15df416602d825443b2b17d8c0c59500fb6516118e7a65ea9fdd9e4be238f0319577fa44c114eaca18b0334ba521

        Download Submit

      • \ProgramData\D633.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/2032-12595-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2032-12594-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2032-12593-0x00000000020D0000-0x0000000002110000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2032-12592-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2032-12625-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2032-12624-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2316-0-0x0000000002170000-0x00000000021B0000-memory.dmp

        Filesize

        256KB

        Download