| File name: | svchost.com |
| Full analysis: | https://app.any.run/tasks/88f2d33c-ea5d-4ace-bac7-cfbf71675f61 |
| Verdict: | Malicious activity |
| Analysis date: | November 02, 2023, 08:26:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 3ED261B944F50178CE2118944BA45091 |
| SHA1: | 4D194A1247E8B6A4EB13FD6E226F5F0FE542D24C |
| SHA256: | B462D28AE1F49B389D1DF0213EAFC75DAF2CE681DB989A363348D7F19379C02B |
| SSDEEP: | 384:SDpQDo1l3aNNnGNpozpIU59b4w9HI5k8QVdwOPlzl9tOpNukRznNoglTGtAzOQaK:y33aLN5ayo5koOBlHkRzkKOQdJya4 |
MALICIOUS
Drops the executable file immediately after the start
- svchost.com.exe (PID: 2700)
Actions looks like stealing of personal data
- svchost.com.exe (PID: 2700)
SUSPICIOUS
No suspicious indicators.INFO
Checks supported languages
- svchost.com.exe (PID: 2700)
Create files in a temporary directory
- svchost.com.exe (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Borland Delphi 6 (93.8) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (2.3) |
| .exe | | | Win32 Executable (generic) (1.6) |
| .exe | | | Win16/32 Executable Delphi generic (0.7) |
| .exe | | | Generic Win/DOS Executable (0.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 29696 |
| InitializedDataSize: | 10752 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x80e4 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
32
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2700 | "C:\Users\admin\AppData\Local\Temp\svchost.com.exe" | C:\Users\admin\AppData\Local\Temp\svchost.com.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
7
Read events
7
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2700 | svchost.com.exe | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | executable | |
MD5:65A72808A474811FF439C654E7203377 | SHA256:1AEC048DC0125C3E0066887A8E4E0A74EAEB08291AA0E72DA22EFE8E8C4411F4 | |||
| 2700 | svchost.com.exe | C:\Users\admin\AppData\Local\Temp\tmp5023.tmp | binary | |
MD5:67CAF7CDE43BD4F73D237C72487A4E5B | SHA256:1F19AA1D6DBAAE9B83386B79A2993B636B63B5BFD1FFCECBAFF015B43FB8B214 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
324 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1956 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |