Analysis
-
max time kernel
59s -
max time network
38s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-05-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10-20240404-en
General
-
Target
svchost.exe
-
Size
17.9MB
-
MD5
0dc5eec70a1c5d641f7e2ca2fdeb0c13
-
SHA1
045faba808f788827ac803ca23674703db202112
-
SHA256
042fb46c57a37d6e3a96aa82bc30e294ef04d43487ebfd80c81766d37c2a5fbe
-
SHA512
b8acbb5512a981aff7e05f7238c50880b601310910a6199afab7600bd365252da567f5414902d644c28920bfb07471f8579cc315f808ef8fc144019b69c175c3
-
SSDEEP
393216:60cJ5TXEFbFQoEi/2rUeP/xQAiNPDak9If:cDXEF+FRHxORDakw
Malware Config
Extracted
bitrat
1.38
158.58.168.61:1337
-
communication_password
2fdbb4b27758a54f27d8f8cbb485787b
-
install_dir
system32
-
install_file
Windows Update.exe
-
tor_process
tor
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 3608 Windows Update.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe upx behavioral1/memory/3608-31-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/3608-34-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/3608-35-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/3608-38-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exeĀ" Windows Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe耀" Windows Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe" Windows Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe픀" Windows Update.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
Windows Update.exepid process 3608 Windows Update.exe 3608 Windows Update.exe 3608 Windows Update.exe 3608 Windows Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeShutdownPrivilege 3608 Windows Update.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Windows Update.exepid process 3608 Windows Update.exe 3608 Windows Update.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 4920 wrote to memory of 3608 4920 svchost.exe Windows Update.exe PID 4920 wrote to memory of 3608 4920 svchost.exe Windows Update.exe PID 4920 wrote to memory of 3608 4920 svchost.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.4MB
MD5b37ec293e5bcb580d448da4965dffd54
SHA147b36a89cab289178f6d2ffd123ac0ca8431f0e8
SHA25629556061e8bf4bc3805e4b52abae0b12b7ca445a5b792d3daa19bcf30aa3966e
SHA5123358f3b8f1b42aa680075af9388906f0e93cb1cd4cc5ab15a9a07df61a1604e2e53d2acf3212c53613debf156e5d21680e7ba0ad52237006c29f877b04a23371
-
memory/3608-31-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3608-32-0x0000000074380000-0x00000000743BA000-memory.dmpFilesize
232KB
-
memory/3608-33-0x0000000074350000-0x000000007438A000-memory.dmpFilesize
232KB
-
memory/3608-34-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3608-35-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3608-37-0x0000000074350000-0x000000007438A000-memory.dmpFilesize
232KB
-
memory/3608-38-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4920-0-0x0000000000400000-0x00000000015F4000-memory.dmpFilesize
18.0MB