fa47d6d85592087d1cba503253670920ac9545deb3176006fc79606b21ae966c

Analysis

max time kernel
147s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/08/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Svhost.exe
Size

399KB
MD5

7d4970831fafb993a4b0de345cb6832b
SHA1

ff95a1c11fe502a396f65cb817abf6796dfb791a
SHA256

fa47d6d85592087d1cba503253670920ac9545deb3176006fc79606b21ae966c
SHA512

9b27ecaca0dc6b7b68acdcfc4308f213b94ddfea3cbc357ee96e1cc82bd2e3cfb06c4c8a9ce5647fbde18931f5e2b34e5a119295c4548d719b7a85d425657b84
SSDEEP

6144:PaSpJQYtBJ5666+e6VlWT8b9L+s82y00ZFlTzubWKrhtwwD:PPph95o+PVle8Is8LZFFCrhtw4

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdAvast Antivirus Upgrade.exe"	Svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe"	Svhost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 3 IoCs

pid	Process
4800	Process not Found
1420	WmiApSrv.exe
2360	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdMicrosoft Dynamics Upgrade.exe"	Svhost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
432	timeout.exe
4868	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4184	taskkill.exe
3040	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{043B4ED8-C8D2-40E8-9F3A-806518F7BD9D}	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1420	WmiApSrv.exe
1420	WmiApSrv.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe
1488	Svhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	Svhost.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeShutdownPrivilege	3180	explorer.exe
Token: SeCreatePagefilePrivilege	3180	explorer.exe
Token: SeShutdownPrivilege	3180	explorer.exe
Token: SeCreatePagefilePrivilege	3180	explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4612	1488	Svhost.exe	84
PID 1488 wrote to memory of 4612	1488	Svhost.exe	84
PID 4612 wrote to memory of 4160	4612	CMD.exe	86
PID 4612 wrote to memory of 4160	4612	CMD.exe	86
PID 1488 wrote to memory of 1212	1488	Svhost.exe	90
PID 1488 wrote to memory of 1212	1488	Svhost.exe	90
PID 1488 wrote to memory of 1440	1488	Svhost.exe	92
PID 1488 wrote to memory of 1440	1488	Svhost.exe	92
PID 1440 wrote to memory of 4184	1440	CMD.exe	94
PID 1440 wrote to memory of 4184	1440	CMD.exe	94
PID 1212 wrote to memory of 1808	1212	cmd.exe	95
PID 1212 wrote to memory of 1808	1212	cmd.exe	95
PID 1488 wrote to memory of 32	1488	Svhost.exe	96
PID 1488 wrote to memory of 32	1488	Svhost.exe	96
PID 32 wrote to memory of 2016	32	cmd.exe	98
PID 32 wrote to memory of 2016	32	cmd.exe	98
PID 1488 wrote to memory of 5012	1488	Svhost.exe	99
PID 1488 wrote to memory of 5012	1488	Svhost.exe	99
PID 5012 wrote to memory of 4868	5012	cmd.exe	101
PID 5012 wrote to memory of 4868	5012	cmd.exe	101
PID 5012 wrote to memory of 3180	5012	cmd.exe	102
PID 5012 wrote to memory of 3180	5012	cmd.exe	102
PID 5012 wrote to memory of 3040	5012	cmd.exe	103
PID 5012 wrote to memory of 3040	5012	cmd.exe	103
PID 5012 wrote to memory of 432	5012	cmd.exe	104
PID 5012 wrote to memory of 432	5012	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Svhost.exe
"C:\Users\Admin\AppData\Local\Temp\Svhost.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost.exe" /tr "C:\Users\Admin\AppData\Roaming\xdwdAvast Antivirus Upgrade.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost.exe" /tr "C:\Users\Admin\AppData\Roaming\xdwdAvast Antivirus Upgrade.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "svchost.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\system32\schtasks.exe
    schtASks /deLeTe /F /Tn "svchost.exe"
    3⤵
    PID:1808
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C taskkill /im explorer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /im explorer.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "svchost.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\schtasks.exe
    schtASks /deLeTe /F /Tn "svchost.exe"
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9263.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4868
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\system32\taskkill.exe
    taskkill /im xdwdAvast Antivirus Upgrade.exe /f
    3⤵
    - Kills process with taskkill
    PID:3040
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1340

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9263.tmp.bat

Filesize
262B

MD5
1903fbaead4e164a4800b390f9d8777d

SHA1
c0127375f00b693e112f692fc719c5098ac8423d

SHA256
f461d109a868d263b8274fac3bdd13ea7c73035fafb8f96d299f56a94e226e4b

SHA512
068ff68b33d127bd44e895637639b11c5dc8b45c14bf97f23283c0a86eaf059b48a2e630759692cf1e3550c1ee6758a596dab63abea72bcb4b443cd324b9a421

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1420-90-0x00007FFD33A90000-0x00007FFD33A91000-memory.dmp

Filesize
4KB

Download
memory/1488-144-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/1488-51-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/1488-2-0x00007FFD12A43000-0x00007FFD12A45000-memory.dmp

Filesize
8KB

Download
memory/1488-0-0x00007FFD12A43000-0x00007FFD12A45000-memory.dmp

Filesize
8KB

Download
memory/1488-1-0x0000000000420000-0x0000000000488000-memory.dmp

Filesize
416KB

Download
memory/1488-1103-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/3524-1119-0x000001E803020000-0x000001E803120000-memory.dmp

Filesize
1024KB

Download
memory/3524-1145-0x000001E803020000-0x000001E803120000-memory.dmp

Filesize
1024KB

Download
memory/3524-1171-0x000001E836980000-0x000001E836A80000-memory.dmp

Filesize
1024KB

Download
memory/3524-1208-0x000001E8350B0000-0x000001E8350D0000-memory.dmp

Filesize
128KB

Download
memory/3524-1209-0x000001E836820000-0x000001E836840000-memory.dmp

Filesize
128KB

Download
memory/3524-1210-0x000001E835110000-0x000001E835130000-memory.dmp

Filesize
128KB

Download