| File name: | svhost.exe |
| Full analysis: | https://app.any.run/tasks/ca6707f0-fe48-41df-9380-86fb0e2cbc9b |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | February 20, 2024, 14:48:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | DDFB084744E61A11E2A606C38D539A04 |
| SHA1: | 236829E209E87C24FD38CC3F5E1CD44CA78038A0 |
| SHA256: | A630D40C8A30D79629F46BD0BBF130D261AC0D3FDC450E02BD6E41273B11A7B0 |
| SSDEEP: | 192:ugh9JIWHWTatc3udGOqndxbnQBjdxjLy+5Oj/jZWkdooooXcPiHgSZes/91C1mFq:zh9DqdpQBhRy+IlWuJZr91CHT+Nr0D5 |
MALICIOUS
Drops the executable file immediately after the start
- svhost.exe (PID: 3864)
- svhost.exe (PID: 3444)
Create files in the Startup directory
- svchost.exe (PID: 2340)
- svchost.exe (PID: 2108)
Renames files like ransomware
- svchost.exe (PID: 2340)
Steals credentials from Web Browsers
- svchost.exe (PID: 2340)
Deletes shadow copies
- cmd.exe (PID: 2292)
- cmd.exe (PID: 2888)
- cmd.exe (PID: 2180)
- cmd.exe (PID: 2392)
- cmd.exe (PID: 3820)
- cmd.exe (PID: 2052)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 1368)
- cmd.exe (PID: 2332)
- cmd.exe (PID: 4036)
Actions looks like stealing of personal data
- svchost.exe (PID: 2108)
- svchost.exe (PID: 2340)
- svchost.exe (PID: 3780)
SUSPICIOUS
Executable content was dropped or overwritten
- svhost.exe (PID: 3864)
- svhost.exe (PID: 3444)
Reads the Internet Settings
- svhost.exe (PID: 3864)
- svchost.exe (PID: 2340)
- WMIC.exe (PID: 3308)
- sipnotify.exe (PID: 1392)
- svchost.exe (PID: 2108)
- WMIC.exe (PID: 2236)
- svhost.exe (PID: 3444)
- svchost.exe (PID: 3780)
- WMIC.exe (PID: 3944)
Starts itself from another location
- svhost.exe (PID: 3864)
- svhost.exe (PID: 3444)
Reads security settings of Internet Explorer
- svhost.exe (PID: 3864)
- svchost.exe (PID: 2340)
- svchost.exe (PID: 2108)
- svhost.exe (PID: 3444)
- svchost.exe (PID: 3780)
The process creates files with name similar to system file names
- svhost.exe (PID: 3864)
- svhost.exe (PID: 3444)
Starts CMD.EXE for commands execution
- svchost.exe (PID: 2340)
- svchost.exe (PID: 2108)
- svchost.exe (PID: 3780)
Executes as Windows Service
- VSSVC.exe (PID: 1348)
- wbengine.exe (PID: 1864)
- vds.exe (PID: 3088)
Start notepad (likely ransomware note)
- svchost.exe (PID: 2340)
- svchost.exe (PID: 2108)
- svchost.exe (PID: 3780)
The process executes via Task Scheduler
- ctfmon.exe (PID: 1504)
- sipnotify.exe (PID: 1392)
Write to the desktop.ini file (may be used to cloak folders)
- svchost.exe (PID: 2340)
Reads settings of System Certificates
- sipnotify.exe (PID: 1392)
INFO
Checks supported languages
- svhost.exe (PID: 3864)
- wmpnscfg.exe (PID: 604)
- svhost.exe (PID: 3732)
- svchost.exe (PID: 2340)
- IMEKLMG.EXE (PID: 312)
- IMEKLMG.EXE (PID: 520)
- svchost.exe (PID: 2108)
- wmpnscfg.exe (PID: 2608)
- wmpnscfg.exe (PID: 2628)
- wmpnscfg.exe (PID: 2776)
- svhost.exe (PID: 3444)
- svchost.exe (PID: 3780)
Reads the computer name
- wmpnscfg.exe (PID: 604)
- svhost.exe (PID: 3732)
- svhost.exe (PID: 3864)
- svchost.exe (PID: 2340)
- IMEKLMG.EXE (PID: 520)
- svchost.exe (PID: 2108)
- IMEKLMG.EXE (PID: 312)
- wmpnscfg.exe (PID: 2608)
- wmpnscfg.exe (PID: 2628)
- wmpnscfg.exe (PID: 2776)
- svchost.exe (PID: 3780)
- svhost.exe (PID: 3444)
Creates files or folders in the user directory
- svhost.exe (PID: 3864)
- svchost.exe (PID: 2340)
- svhost.exe (PID: 3444)
Manual execution by a user
- svhost.exe (PID: 3732)
- IMEKLMG.EXE (PID: 312)
- IMEKLMG.EXE (PID: 520)
- notepad.exe (PID: 1176)
- rundll32.exe (PID: 720)
- svchost.exe (PID: 2108)
- wmpnscfg.exe (PID: 2608)
- wmpnscfg.exe (PID: 2628)
- wmpnscfg.exe (PID: 2776)
- mmc.exe (PID: 2948)
- svhost.exe (PID: 3444)
- mmc.exe (PID: 3068)
- taskmgr.exe (PID: 3236)
Reads the machine GUID from the registry
- svchost.exe (PID: 2340)
- svchost.exe (PID: 2108)
- svchost.exe (PID: 3780)
Process checks whether UAC notifications are on
- IMEKLMG.EXE (PID: 312)
- IMEKLMG.EXE (PID: 520)
Reads security settings of Internet Explorer
- sipnotify.exe (PID: 1392)
Reads the software policy settings
- sipnotify.exe (PID: 1392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:02:20 14:43:06+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 20992 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x716e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | svhost.exe |
| LegalCopyright: | |
| OriginalFileName: | svhost.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
162
Monitored processes
50
Malicious processes
12
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 312 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 448 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\read_it.txt | C:\Windows\System32\notepad.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Notepad Exit code: 1073807364 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 520 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 604 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 720 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.tga7 | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 980 | bcdedit /set {default} recoveryenabled no | C:\Windows\System32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1176 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1348 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1368 | "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1392 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
Total events
23 933
Read events
23 841
Write events
78
Delete events
14
Modification events
| (PID) Process: | (3864) svhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3864) svhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3864) svhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3864) svhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2340) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2340) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2340) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2340) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2260) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\250000e0 |
| Operation: | write | Name: | Element |
Value: 0100000000000000 | |||
| (PID) Process: | (980) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000009 |
| Operation: | write | Name: | Element |
Value: 00 | |||
Executable files
2
Suspicious files
0
Text files
742
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2340 | svchost.exe | C:\Users\admin\Desktop\cumarts.rtf | text | |
MD5:5E2F3B44447BEF4DE009B348C49369F1 | SHA256:3912A3D215ED428E413890C16EC311DEAA10EC94646F52E2243AC3E96BF8C965 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\read_it.txt | text | |
MD5:812EC941510ADB725FF56EE9739B6E16 | SHA256:16B425A9FCE7195ACB3E4A76A0453786ECC3D3D9AB2F962BFEAA8C7348177613 | |||
| 3864 | svhost.exe | C:\Users\admin\AppData\Roaming\svchost.exe | executable | |
MD5:DDFB084744E61A11E2A606C38D539A04 | SHA256:A630D40C8A30D79629F46BD0BBF130D261AC0D3FDC450E02BD6E41273B11A7B0 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\funare.png | text | |
MD5:596D1A52DBB34A0E323E1D5DBE053552 | SHA256:826656B89507997FE3331777A0D08D9ADEE65CE29A94DEF524181A6183EB4DB7 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\cumarts.rtf.wozv | text | |
MD5:5E2F3B44447BEF4DE009B348C49369F1 | SHA256:3912A3D215ED428E413890C16EC311DEAA10EC94646F52E2243AC3E96BF8C965 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\desktop.ini | text | |
MD5:AF33B732407B1C596DC4D541FDF654D7 | SHA256:F3643D8EA61DD1A04A9AB4E5412746A102D9E371E149AFA8D1501EB3EECB3AE8 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\funare.png.o4mf | text | |
MD5:596D1A52DBB34A0E323E1D5DBE053552 | SHA256:826656B89507997FE3331777A0D08D9ADEE65CE29A94DEF524181A6183EB4DB7 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\packageskit.png | text | |
MD5:1037CEAA55F7EEE13C10885725168CD5 | SHA256:5B51BC465C754CC01A2DD21D68BBBD0195B94D16260E2A7E6612555A4BDBBAE1 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\desktop.ini.edt5 | text | |
MD5:AF33B732407B1C596DC4D541FDF654D7 | SHA256:F3643D8EA61DD1A04A9AB4E5412746A102D9E371E149AFA8D1501EB3EECB3AE8 | |||
| 2340 | svchost.exe | C:\Users\admin\Desktop\regularoverall.rtf.vey0 | text | |
MD5:750170BACE39B3C0B9D3080F8EC58B0F | SHA256:5E0A8153DB67DF28D96D669ED638809D7FF96926AB48777AD10F891D2DCBA4B6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1364 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4a04df141ef4d66e | unknown | — | — | — |
1392 | sipnotify.exe | HEAD | 200 | 88.221.61.151:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133529142584370000 | unknown | — | — | — |
1080 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6f7f6d4d39b704f5 | unknown | — | — | — |
1364 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | binary | 1.01 Kb | — |
1364 | svchost.exe | GET | 200 | 72.246.169.155:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | binary | 814 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1392 | sipnotify.exe | 88.221.61.151:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | DE | unknown |
1364 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1364 | svchost.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | unknown |
1364 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
1364 | svchost.exe | 72.246.169.155:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
1080 | svchost.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| unknown |
settings-win.data.microsoft.com |
| unknown |
ctldl.windowsupdate.com |
| unknown |
crl.microsoft.com |
| unknown |
www.microsoft.com |
| unknown |