Windows Analysis Report
svchost(1).exe

Overview

General Information

Sample name: svchost(1).exe
Analysis ID: 1426767
MD5: d9e224acffd36b1c83e8ee2031ccf349
SHA1: 557185cb2cfc025ba795dfe657b13c1509c290aa
SHA256: 82bb0e74c91357fdceaa9bc94ac01448f2a97e0087f7c9d11f08586accd77cf6
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: svchost(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: svchost(1).exe Static PE information: certificate valid
Source: svchost(1).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: svchost.pdb source: svchost(1).exe
Source: Binary string: svchost.pdbUGP source: svchost(1).exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, 0_2_004B3150
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B32D0 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,HeapSetInformation,TpAllocTimer,EventRegister,EventSetInformation,GetTickCount64,GetTickCount64,TpSetTimer,NtSetInformationProcess, 0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B2739 ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey, 0_2_004B2739
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B24B0 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx, 0_2_004B24B0
Detected potential crypto function
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B2739 0_2_004B2739
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B24B0 0_2_004B24B0
Sample file is different than original file name gathered from version info
Source: svchost(1).exe, 00000000.00000000.2045451956.00000000004BB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs svchost(1).exe
Source: svchost(1).exe Binary or memory string: OriginalFilenamesvchost.exej% vs svchost(1).exe
Uses 32bit PE files
Source: svchost(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, 0_2_004B3120
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, 0_2_004B3120
Source: svchost(1).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\svchost(1).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\svchost(1).exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: svchost(1).exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: svchost(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: svchost(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: svchost(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: svchost(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: svchost(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: svchost(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: svchost(1).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, GUARD_CF, TERMINAL_SERVER_AWARE
Source: svchost(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: svchost.pdb source: svchost(1).exe
Source: Binary string: svchost.pdbUGP source: svchost(1).exe
PE file contains sections with non-standard names
Source: svchost(1).exe Static PE information: section name: .didat
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, 0_2_004B3120
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\svchost(1).exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\svchost(1).exe API coverage: 3.6 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\svchost(1).exe API call chain: ExitProcess graph end node
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] 0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] 0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] 0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h] 0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B4FD0 mov eax, dword ptr fs:[00000030h] 0_2_004B4FD0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B4FD0 mov ecx, dword ptr fs:[00000030h] 0_2_004B4FD0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B43D0 mov eax, dword ptr fs:[00000030h] 0_2_004B43D0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B43D0 mov eax, dword ptr fs:[00000030h] 0_2_004B43D0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h] 0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h] 0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h] 0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] 0_2_004B2E20
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] 0_2_004B2E20
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] 0_2_004B2E20
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h] 0_2_004B2E20
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, 0_2_004B3150
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, 0_2_004B3150
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B514A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004B514A
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B45C0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,HeapAlloc,InitializeSecurityDescriptor,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,CloseHandle,GetLengthSid,AddAccessAllowedAce,GetLengthSid,AddAccessAllowedAce,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree, 0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B50B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004B50B0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B67D0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status, 0_2_004B67D0
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B6780 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status, 0_2_004B6780
Source: C:\Users\user\Desktop\svchost(1).exe Code function: 0_2_004B6710 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status, 0_2_004B6710
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1426767 Sample: svchost(1).exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 5 4 svchost(1).exe 2->4         started       
No contacted IP infos