General

  • Target

    svhost.exe

  • Size

    68.5MB

  • Sample

    241216-yhvsyszldq

  • MD5

    bf49d88af5bdfa38697eafe23fd46265

  • SHA1

    3645a8c119a894db4de0a83832eac124062ea92f

  • SHA256

    dd99072b19ece0f1f9c617fa3d07bfe35d7b61468fc8b3d2e3891143442fa1fa

  • SHA512

    07242ef721747979293f58684443e1a1ddc10cc9fda2ef8f2a8764ee1524cfb10edca73b2ea70d34348710a1712b5df9176de65b2c10a7662072fb1dffd95de7

  • SSDEEP

    1572864:l9JfVzrW13CRrrirAH8+1osuTCSxOB6xM5cX72qHWB75iVaN2ZaQ6A:lNECRrS6xjKcBanL2qHO5iV0E

Malware Config

Targets

    • Target

      svhost.exe

    • Size

      68.5MB

    • MD5

      bf49d88af5bdfa38697eafe23fd46265

    • SHA1

      3645a8c119a894db4de0a83832eac124062ea92f

    • SHA256

      dd99072b19ece0f1f9c617fa3d07bfe35d7b61468fc8b3d2e3891143442fa1fa

    • SHA512

      07242ef721747979293f58684443e1a1ddc10cc9fda2ef8f2a8764ee1524cfb10edca73b2ea70d34348710a1712b5df9176de65b2c10a7662072fb1dffd95de7

    • SSDEEP

      1572864:l9JfVzrW13CRrrirAH8+1osuTCSxOB6xM5cX72qHWB75iVaN2ZaQ6A:lNECRrS6xjKcBanL2qHO5iV0E

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks