Overview

overview

10

Static

static

10

svClient.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 04:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svClient.exe

  • Size

    94KB

  • MD5

    2ce6f0a9681d09ad541a00b640c4a7ce

  • SHA1

    e3bac43991c9571cbfc516d9c2a2dc21bb5612c8

  • SHA256

    d9083880d4fc394283a1640392ddef37a72978800fe3e6cc25561369d888047a

  • SHA512

    57c0dc20fe771853f6d21654bd4ce7fb27ea60ee2bccac005779e6cec347628fd0b7b995aaab661a488c6511adcecf51d42545e7c2708ccaa100fef96ca36451

  • SSDEEP

    1536:nAWCI6dorHYPvgNFoOE6jEwzGi1dDE3QDAgS:nAEuorHYPvgNJEDi1dI3Sp

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svClient.exe
    "C:\Users\Admin\AppData\Local\Temp\svClient.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:632
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2080
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
    Filesize

    64KB

    MD5

    d2fb266b97caff2086bf0fa74eddb6b2

    SHA1

    2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

    SHA256

    b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

    SHA512

    c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

    Download Submit

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
    Filesize

    4B

    MD5

    f49655f856acb8884cc0ace29216f511

    SHA1

    cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

    SHA256

    7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

    SHA512

    599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

    Download Submit

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
    Filesize

    944B

    MD5

    6bd369f7c74a28194c991ed1404da30f

    SHA1

    0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

    SHA256

    878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

    SHA512

    8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

    Download Submit

  • memory/432-0-0x0000000075382000-0x0000000075383000-memory.dmp

    Filesize

    4KB

    Download

  • memory/432-1-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/432-2-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/432-9-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2080-17-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-16-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-22-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-21-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-20-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-19-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-18-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-12-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-11-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-10-0x000001FC56E00000-0x000001FC56E01000-memory.dmp

    Filesize

    4KB

    Download