Loading ...

Play interactive tourEdit tour

Analysis Report svhost.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:147827
Start date:02.07.2019
Start time:00:05:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:svhost.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.rans.adwa.evad.winEXE@10/16@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 86.2% (good quality ratio 80.7%)
  • Quality average: 81.8%
  • Quality standard deviation: 29.4%
HCA Information:
  • Successful, ratio: 51%
  • Number of executed functions: 16
  • Number of non-executed functions: 43
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, wermgr.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, VSSVC.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Hidden Files and Directories1Startup Items2Masquerading2Input Capture1System Time Discovery1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionStartup Items2Process Injection11Hidden Files and Directories1Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationRegistry Run Keys / Startup Folder221Path InterceptionSoftware Packing1Input CaptureSecurity Software Discovery41Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesSystem Service Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Information Discovery32Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svhost.exevirustotal: Detection: 32%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exevirustotal: Detection: 32%Perma Link
Source: C:\Windows\System32\svhost.exevirustotal: Detection: 32%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: svhost.exevirustotal: Detection: 32%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.svhost.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 16.1.svhost.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 15.1.svhost.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.svhost.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 15.2.svhost.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.3.svhost.exe.1c0000.0.unpackJoe Sandbox ML: detected
Source: 16.2.svhost.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.2.svhost.exe.400000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004026C0 FindFirstFileW,FindNextFileW,FindClose,0_2_004026C0
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_00406940 FindFirstFileW,0_2_00406940

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: svhost.exe, 00000000.00000002.1005119725.00000000007B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: vssadmin.exe, 0000000C.00000002.810499005.000002A1EDA70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 0000000C.00000002.810499005.000002A1EDA70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 0000000C.00000002.810499005.000002A1EDA70000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 0000000C.00000002.810499005.000002A1EDA70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 0000000C.00000002.810499005.000002A1EDA70000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 0000000C.00000002.810947214.000002A1EDA80000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinSta0\DefaultmS
Source: vssadmin.exe, 0000000C.00000002.810947214.000002A1EDA80000.00000004.00000020.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 0000000C.00000002.810947214.000002A1EDA80000.00000004.00000020.sdmpBinary or memory string: vssadmin delete shadows /all /quiet)S
Source: vssadmin.exe, 0000000C.00000002.829244883.000002A1EDD15000.00000004.00000040.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Windows\System32\svhost.exeJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\svhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_17G9M5U
Source: C:\Users\user\Desktop\svhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_17G9M5A
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004034C00_2_004034C0
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_00403AE00_2_00403AE0
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_00405F300_2_00405F30
Source: C:\Windows\System32\svhost.exeCode function: 15_2_004056D615_2_004056D6
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040180015_2_00401800
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0042096F15_2_0042096F
Source: C:\Windows\System32\svhost.exeCode function: 15_2_004201C715_2_004201C7
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0041E9CE15_2_0041E9CE
Source: C:\Windows\System32\svhost.exeCode function: 15_2_004281CD15_2_004281CD
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040F99D15_2_0040F99D
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00426A2715_2_00426A27
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00422A2E15_2_00422A2E
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00410B5115_2_00410B51
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0042333A15_2_0042333A
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00423BA415_2_00423BA4
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040149015_2_00401490
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0041F4AB15_2_0041F4AB
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00415DB415_2_00415DB4
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0041460615_2_00414606
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00409F4015_2_00409F40
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0042376F15_2_0042376F
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00408F0E15_2_00408F0E
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00422F2215_2_00422F22
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0041EF3915_2_0041EF39
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\System32\svhost.exeCode function: String function: 00408A00 appears 43 times
Source: C:\Windows\System32\svhost.exeCode function: String function: 0040AA33 appears 33 times
PE file contains strange resourcesShow sources
Source: svhost.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe0.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe0.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe0.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe0.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe0.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe0.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe1.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe1.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe1.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe1.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe1.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svhost.exe1.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: svhost.exe, 00000000.00000002.1022611642.00000000045F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs svhost.exe
Source: svhost.exe, 00000000.00000002.1004902110.00000000005D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs svhost.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\svhost.exeFile read: C:\Users\user\Desktop\svhost.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\svhost.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\System32\svhost.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exeSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: 0.2.svhost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Binary contains paths to development resourcesShow sources
Source: svhost.exe, 00000000.00000003.760024694.0000000000883000.00000004.00000001.sdmpBinary or memory string: af;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw
Source: svhost.exe, 00000000.00000003.987426288.0000000004353000.00000004.00000001.sdmpBinary or memory string: .slna0
Source: svhost.exe, 00000000.00000003.716377940.0000000000851000.00000004.00000001.sdmpBinary or memory string: .slns'
Source: svhost.exe, 00000000.00000003.716370433.0000000000841000.00000004.00000001.sdmpBinary or memory string: 4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
Classification labelShow sources
Source: classification engineClassification label: mal84.rans.adwa.evad.winEXE@10/16@0/0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_00407FE0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,0_2_00407FE0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00403160 WaitForSingleObject,GetVolumePathNamesForVolumeNameA,EnumTimeFormatsW,ReplaceFileW,HeapUnlock,GetFirmwareEnvironmentVariableW,SetEnvironmentVariableW,GetCommandLineW,FindResourceA,GetSystemDirectoryA,EnumSystemLocalesW,GetModuleHandleW,15_2_00403160
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: svhost.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\svhost.exeFile read: C:\$Recycle.Bin\S-1-5-18\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\svhost.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: svhost.exevirustotal: Detection: 32%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\svhost.exe 'C:\Users\user\Desktop\svhost.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\mode.com mode con cp select=1251
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\svhost.exe 'C:\Windows\System32\svhost.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe'
Source: C:\Users\user\Desktop\svhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cp select=1251Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\svhost.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
PE file contains a debug data directoryShow sources
Source: svhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\husokutima52_sacemey21_wupuxuloretonisivox.pdb98\bin\cinufazux.pdb source: svhost.exe
Source: Binary string: C:\crysis\Release\PDB\payload.pdb source: svhost.exe
Source: Binary string: C:\husokutima52_sacemey21_wupuxuloretonisivox.pdb source: svhost.exe
Source: Binary string: 98\bin\cinufazux.pdb source: svhost.exe
Source: Binary string: .pdb source: svhost.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004065E0 LoadLibraryA,GetProcAddress,0_2_004065E0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_007E7D7C push ss; retf 0_2_007E7D8B
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_007E730B pushfd ; ret 0_2_007E730C
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_007E83F6 push ds; ret 0_2_007E83F7
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_007E73D5 push esi; retf 0_2_007E73F5
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00408A45 push ecx; ret 15_2_00408A58
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040636D push ecx; ret 15_2_00406380
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00401B80 push ecx; mov dword ptr [esp], ecx15_2_00401B81

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\System32\svhost.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exeJump to dropped file
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svhost.exeJump to dropped file
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Windows\System32\svhost.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svhost.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Windows\System32\svhost.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\WindowsShow sources
Source: C:\Users\user\Desktop\svhost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhost.exeJump to behavior
Drops PE files to the startup folderShow sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exeJump to dropped file
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svhost.exeJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exeJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exeJump to behavior
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exeJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\svhost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhost.exeJump to behavior
Source: C:\Users\user\Desktop\svhost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhost.exeJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itselfShow sources
Source: C:\Users\user\Desktop\svhost.exeFile created: C:\$Recycle.Bin\S-1-5-18\desktop.ini.id-3C4E0000.[bigmacbig@cock.li].beetsJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\System32\svhost.exeCode function: 15_2_004056D6 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004056D6

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\svhost.exeRDTSC instruction interceptor: First address: 4053c6 second address: 4053c6 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 mov dword ptr [ebp-04h], edx 0x00000008 cmp dword ptr [ebp+08h], 00000000h 0x0000000c je 00007F14A86DA71Ah 0x0000000e mov eax, dword ptr [ebp-08h] 0x00000011 mov esp, ebp 0x00000013 pop ebp 0x00000014 ret 0x00000015 add esp, 04h 0x00000018 shr eax, 10h 0x0000001b mov dword ptr [ebp-04h], eax 0x0000001e mov dword ptr [ebp-08h], 00000000h 0x00000025 jmp 00007F14A86DA71Bh 0x00000027 mov eax, dword ptr [ebp-08h] 0x0000002a cmp eax, dword ptr [ebp-04h] 0x0000002d jnl 00007F14A86DA777h 0x0000002f lea ecx, dword ptr [ebp-04h] 0x00000032 push ecx 0x00000033 call 00007F14A86DA4B1h 0x00000038 push ebp 0x00000039 mov ebp, esp 0x0000003b sub esp, 08h 0x0000003e mov dword ptr [ebp-08h], 00000000h 0x00000045 mov dword ptr [ebp-04h], 00000000h 0x0000004c xor ecx, ecx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\svhost.exeRDTSC instruction interceptor: First address: 4053c6 second address: 4053c6 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 mov dword ptr [ebp-04h], edx 0x00000008 cmp dword ptr [ebp+08h], 00000000h 0x0000000c je 00007F14A88D5DEAh 0x0000000e mov eax, dword ptr [ebp+08h] 0x00000011 mov ecx, dword ptr [ebp-04h] 0x00000014 mov dword ptr [eax], ecx 0x00000016 mov eax, dword ptr [ebp-08h] 0x00000019 mov esp, ebp 0x0000001b pop ebp 0x0000001c ret 0x0000001d add esp, 04h 0x00000020 mov ecx, dword ptr [004186B0h] 0x00000026 xor eax, dword ptr [ecx] 0x00000028 mov edx, dword ptr [004186B0h] 0x0000002e mov dword ptr [edx], eax 0x00000030 mov eax, dword ptr [004186B0h] 0x00000035 mov ecx, dword ptr [eax+04h] 0x00000038 xor ecx, dword ptr [ebp-04h] 0x0000003b mov edx, dword ptr [004186B0h] 0x00000041 mov dword ptr [edx+04h], ecx 0x00000044 push 00000000h 0x00000046 call 00007F14A88D5AC5h 0x0000004b push ebp 0x0000004c mov ebp, esp 0x0000004e sub esp, 08h 0x00000051 mov dword ptr [ebp-08h], 00000000h 0x00000058 mov dwor
Source: C:\Users\user\Desktop\svhost.exeRDTSC instruction interceptor: First address: 4053c6 second address: 4053c6 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 mov dword ptr [ebp-04h], edx 0x00000008 cmp dword ptr [ebp+08h], 00000000h 0x0000000c je 00007F14A86DA71Ah 0x0000000e mov eax, dword ptr [ebp+08h] 0x00000011 mov ecx, dword ptr [ebp-04h] 0x00000014 mov dword ptr [eax], ecx 0x00000016 mov eax, dword ptr [ebp-08h] 0x00000019 mov esp, ebp 0x0000001b pop ebp 0x0000001c ret 0x0000001d add esp, 04h 0x00000020 mov ecx, dword ptr [004186B0h] 0x00000026 xor eax, dword ptr [ecx] 0x00000028 mov edx, dword ptr [004186B0h] 0x0000002e mov dword ptr [edx], eax 0x00000030 mov eax, dword ptr [004186B0h] 0x00000035 mov ecx, dword ptr [eax+04h] 0x00000038 xor ecx, dword ptr [ebp-04h] 0x0000003b mov edx, dword ptr [004186B0h] 0x00000041 mov dword ptr [edx+04h], ecx 0x00000044 push 00000000h 0x00000046 call 00007F14A86DA3F5h 0x0000004b push ebp 0x0000004c mov ebp, esp 0x0000004e sub esp, 08h 0x00000051 mov dword ptr [ebp-08h], 00000000h 0x00000058 mov dwor
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004053B0 rdtsc 0_2_004053B0
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: EnumServicesStatusExW,0_2_00406AF0
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Windows\System32\svhost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_15-18356
Found large amount of non-executed APIsShow sources
Source: C:\Windows\System32\svhost.exeAPI coverage: 6.5 %
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004026C0 FindFirstFileW,FindNextFileW,FindClose,0_2_004026C0
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_00406940 FindFirstFileW,0_2_00406940
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: svhost.exe, 00000000.00000002.1022611642.00000000045F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svhost.exe, 00000000.00000002.1022611642.00000000045F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svhost.exe, 00000000.00000002.1022611642.00000000045F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svhost.exe, 00000000.00000002.1005356898.0000000000828000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svhost.exe, 00000000.00000002.1022611642.00000000045F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Windows\System32\svhost.exeAPI call chain: ExitProcess graph end nodegraph_15-18357
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\svhost.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004053B0 rdtsc 0_2_004053B0
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040D36B IsDebuggerPresent,15_2_0040D36B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00412E14 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,15_2_00412E14
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004065E0 LoadLibraryA,GetProcAddress,0_2_004065E0
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_007E56F0 mov eax, dword ptr fs:[00000030h]0_2_007E56F0
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_007E528B mov eax, dword ptr fs:[00000030h]0_2_007E528B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_00406950 GetProcessHeap,0_2_00406950
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040B047 SetUnhandledExceptionFilter,15_2_0040B047
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040B078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0040B078

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\svhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cp select=1251Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: svhost.exe, 00000000.00000002.1005572683.0000000000D40000.00000002.00000001.sdmp, svhost.exe, 0000000F.00000002.1006471214.0000000000C90000.00000002.00000001.sdmp, svhost.exe, 00000010.00000002.1007257329.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: svhost.exe, 00000000.00000002.1005572683.0000000000D40000.00000002.00000001.sdmp, svhost.exe, 0000000F.00000002.1006471214.0000000000C90000.00000002.00000001.sdmp, svhost.exe, 00000010.00000002.1007257329.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: svhost.exe, 00000000.00000002.1005572683.0000000000D40000.00000002.00000001.sdmp, svhost.exe, 0000000F.00000002.1006471214.0000000000C90000.00000002.00000001.sdmp, svhost.exe, 00000010.00000002.1007257329.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progman
Source: svhost.exe, 00000000.00000002.1005572683.0000000000D40000.00000002.00000001.sdmp, svhost.exe, 0000000F.00000002.1006471214.0000000000C90000.00000002.00000001.sdmp, svhost.exe, 00000010.00000002.1007257329.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\System32\svhost.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,15_2_0042680B
Source: C:\Windows\System32\svhost.exeCode function: WaitForSingleObject,GetVolumePathNamesForVolumeNameA,EnumTimeFormatsW,ReplaceFileW,HeapUnlock,GetFirmwareEnvironmentVariableW,SetEnvironmentVariableW,GetCommandLineW,FindResourceA,GetSystemDirectoryA,EnumSystemLocalesW,GetModuleHandleW,15_2_00403160
Source: C:\Windows\System32\svhost.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,15_2_0042626B
Source: C:\Windows\System32\svhost.exeCode function: EnumSystemLocalesW,15_2_0042620F
Source: C:\Windows\System32\svhost.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,15_2_004262E8
Source: C:\Windows\System32\svhost.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,15_2_0042636B
Source: C:\Windows\System32\svhost.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,15_2_00408C96
Source: C:\Windows\System32\svhost.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,15_2_004134AF
Source: C:\Windows\System32\svhost.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,15_2_00426560
Source: C:\Windows\System32\svhost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_0042668A
Source: C:\Windows\System32\svhost.exeCode function: EnumSystemLocalesW,15_2_00413690
Source: C:\Windows\System32\svhost.exeCode function: GetLocaleInfoW,15_2_00413716
Source: C:\Windows\System32\svhost.exeCode function: GetLocaleInfoW,_GetPrimaryLen,15_2_00426737
Source: C:\Windows\System32\svhost.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,15_2_00425F9B
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\System32\svhost.exeCode function: 15_2_00408411 cpuid 15_2_00408411
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\svhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\svhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\svhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\svhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Windows\System32\svhost.exeCode function: 15_2_0040D225 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,15_2_0040D225
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\svhost.exeCode function: 0_2_004068A0 GetVersion,0_2_004068A0

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 147827 Sample: svhost.exe Startdate: 02/07/2019 Architecture: WINDOWS Score: 84 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 May disable shadow drive data (uses vssadmin) 2->36 38 3 other signatures 2->38 7 svhost.exe 1 14 2->7         started        11 svhost.exe 2->11         started        13 svhost.exe 2->13         started        process3 file4 24 C:\Windows\System32\svhost.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Roaming\...\svhost.exe, PE32 7->26 dropped 28 C:\ProgramData\Microsoft\...\svhost.exe, PE32 7->28 dropped 30 2 other files (1 malicious) 7->30 dropped 40 Creates files in the recycle bin to hide itself 7->40 42 Drops PE files to the startup folder 7->42 44 Creates an autostart registry key pointing to binary in C:\Windows 7->44 46 Tries to detect virtualization through RDTSC time measurements 7->46 15 cmd.exe 1 7->15         started        48 Multi AV Scanner detection for dropped file 11->48 signatures5 process6 signatures7 50 May disable shadow drive data (uses vssadmin) 15->50 52 Deletes shadow drive data (may be related to ransomware) 15->52 18 conhost.exe 15->18         started        20 vssadmin.exe 1 15->20         started        22 mode.com 1 15->22         started        process8

Simulations

Behavior and APIs

TimeTypeDescription
00:06:09API Interceptor3x Sleep call for process: svhost.exe modified
00:06:54AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run svhost.exe C:\Windows\System32\svhost.exe
00:07:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
svhost.exe32%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svhost.exe32%virustotalBrowse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe32%virustotalBrowse
C:\Windows\System32\svhost.exe32%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.svhost.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
16.1.svhost.exe.400000.0.unpack100%Joe Sandbox MLDownload File
15.1.svhost.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.1.svhost.exe.400000.0.unpack100%Joe Sandbox MLDownload File
15.2.svhost.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.3.svhost.exe.1c0000.0.unpack100%Joe Sandbox MLDownload File
16.2.svhost.exe.400000.0.unpack100%Joe Sandbox MLDownload File
0.2.svhost.exe.400000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.svhost.exe.400000.0.unpackMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.