03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3

Analysis

max time kernel
90s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
Size

1.1MB
MD5

c249482b38f979360a63e4b62e60f25e
SHA1

ac49a78a6cb38fe665ae99499936adb25f40d029
SHA256

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3
SHA512

d631b2219fcc344eda0cabe5ca3aa637c54e801ff57916323e076a38cb3bc1cbf5b76a2da07264562dcdef21d41bfeebe6f185be470e2be650fbf3b16fac10cb
SSDEEP

24576:aH0dl8myX9BgT2QoXFkrzkmmlSgRZbo0lG4Z8r7Qfbkiu5QG:a1aClSQlG4ZM7QzM5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2412 svchcst.exe

Executes dropped EXE 17 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2412	svchcst.exe
1532	svchcst.exe
1812	svchcst.exe
2328	svchcst.exe
512	svchcst.exe
1704	svchcst.exe
1032	svchcst.exe
2956	svchcst.exe
2800	svchcst.exe
2936	svchcst.exe
2704	svchcst.exe
1412	svchcst.exe
1704	svchcst.exe
2944	svchcst.exe
2908	svchcst.exe
804	svchcst.exe
2300	svchcst.exe

Loads dropped DLL 22 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
3068	WScript.exe
3068	WScript.exe
2992	WScript.exe
2992	WScript.exe
1984	WScript.exe
1984	WScript.exe
2056	WScript.exe
2056	WScript.exe
2056	WScript.exe
2056	WScript.exe
1224	WScript.exe
2636	WScript.exe
1532	WScript.exe
1532	WScript.exe
1972	WScript.exe
2084	WScript.exe
2176	WScript.exe
2176	WScript.exe
3016	WScript.exe
3016	WScript.exe
1740	WScript.exe
1740	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exesvchcst.exesvchcst.exe

pid	process
1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1812	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe

pid process

1908 03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
2412	svchcst.exe
2412	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
512	svchcst.exe
512	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
1032	svchcst.exe
1032	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
804	svchcst.exe
804	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exeWScript.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exesvchcst.exe

description	pid	process	target process
PID 1908 wrote to memory of 3068	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 1908 wrote to memory of 3068	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 1908 wrote to memory of 3068	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 1908 wrote to memory of 3068	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 1908 wrote to memory of 2992	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 1908 wrote to memory of 2992	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 1908 wrote to memory of 2992	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 1908 wrote to memory of 2992	1908	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 3068 wrote to memory of 2412	3068	WScript.exe	svchcst.exe
PID 3068 wrote to memory of 2412	3068	WScript.exe	svchcst.exe
PID 3068 wrote to memory of 2412	3068	WScript.exe	svchcst.exe
PID 3068 wrote to memory of 2412	3068	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 1532	2992	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 1532	2992	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 1532	2992	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 1532	2992	WScript.exe	svchcst.exe
PID 2412 wrote to memory of 1512	2412	svchcst.exe	WScript.exe
PID 2412 wrote to memory of 1512	2412	svchcst.exe	WScript.exe
PID 2412 wrote to memory of 1512	2412	svchcst.exe	WScript.exe
PID 2412 wrote to memory of 1512	2412	svchcst.exe	WScript.exe
PID 2992 wrote to memory of 1812	2992	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 1812	2992	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 1812	2992	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 1812	2992	WScript.exe	svchcst.exe
PID 1812 wrote to memory of 1984	1812	svchcst.exe	WScript.exe
PID 1812 wrote to memory of 1984	1812	svchcst.exe	WScript.exe
PID 1812 wrote to memory of 1984	1812	svchcst.exe	WScript.exe
PID 1812 wrote to memory of 1984	1812	svchcst.exe	WScript.exe
PID 1984 wrote to memory of 2328	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 2328	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 2328	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 2328	1984	WScript.exe	svchcst.exe
PID 2328 wrote to memory of 2056	2328	svchcst.exe	WScript.exe
PID 2328 wrote to memory of 2056	2328	svchcst.exe	WScript.exe
PID 2328 wrote to memory of 2056	2328	svchcst.exe	WScript.exe
PID 2328 wrote to memory of 2056	2328	svchcst.exe	WScript.exe
PID 1984 wrote to memory of 512	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 512	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 512	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 512	1984	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 1704	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 1704	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 1704	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 1704	2056	WScript.exe	svchcst.exe
PID 512 wrote to memory of 1128	512	svchcst.exe	WScript.exe
PID 512 wrote to memory of 1128	512	svchcst.exe	WScript.exe
PID 512 wrote to memory of 1128	512	svchcst.exe	WScript.exe
PID 512 wrote to memory of 1128	512	svchcst.exe	WScript.exe
PID 2056 wrote to memory of 1032	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 1032	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 1032	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 1032	2056	WScript.exe	svchcst.exe
PID 1032 wrote to memory of 856	1032	svchcst.exe	WScript.exe
PID 1032 wrote to memory of 856	1032	svchcst.exe	WScript.exe
PID 1032 wrote to memory of 856	1032	svchcst.exe	WScript.exe
PID 1032 wrote to memory of 856	1032	svchcst.exe	WScript.exe
PID 2056 wrote to memory of 2956	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 2956	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 2956	2056	WScript.exe	svchcst.exe
PID 2056 wrote to memory of 2956	2056	WScript.exe	svchcst.exe
PID 2956 wrote to memory of 1224	2956	svchcst.exe	WScript.exe
PID 2956 wrote to memory of 1224	2956	svchcst.exe	WScript.exe
PID 2956 wrote to memory of 1224	2956	svchcst.exe	WScript.exe
PID 2956 wrote to memory of 1224	2956	svchcst.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
"C:\Users\Admin\AppData\Local\Temp\03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
PID:1512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
PID:856

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
PID:1224

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
PID:2636

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
PID:1532

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2084

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2176

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
PID:268

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:3016

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:1740

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
PID:2564

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
PID:2812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
PID:2436

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
PID:2648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
PID:2188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
PID:1532

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
PID:980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
PID:1016

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
PID:1652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
PID:3020

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
PID:1528

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
PID:2740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
PID:2704

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
PID:1128

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
99d4a7c0026926b7f6d5850eac3b314e

SHA1
25a4a7897212dd642a996f05b093ed9781c0103c

SHA256
7cd6cda9d6242c9504f0c960c6bcd190a2d1f863e2fd49cfe28ca84e9d9be44e

SHA512
3905ac0babec1119523fe6a3277197524efcfd92335b268c500caed21aab1371d5943b7f9b8eb9bb33f1c6bb1b283be5b4ab625411540c1edef3667383c0731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
c0a2d224c1eedcb03cf465337c383a04

SHA1
574453083fa1ae95d533734d9501ff0a47180a0e

SHA256
c71da3f4f1810c50977a1ee263bdc52b99a71d3b7eab979a20322da4213db99f

SHA512
b9bf8b21740d213bdeaa577bb6e11d45422db175d984e953b2d0ded20626b520e6124e9daea976e1e3f649d2ff46b47abe1a9e27890b0610a977fcb34ea737de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
088cc2f307a1f57bb6da611a48be5a14

SHA1
d2ff50885bbb8ace6ec8c80429919a837a371c44

SHA256
3f8af81209bf2c4386a8c79e5e401d3d4786242fcbf4ace21138a25cca039e77

SHA512
6bbe690414379ebc052f7ca3e135d7865d666282cf2478545abb2583ca4d88c2399e00f5abfd4917c93c0cfe366f4bd97fa4505c72c181ee7604afce6c8a602a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
6687a404564e913260773eaf52bda384

SHA1
2167403a21d63a8ae04afd232ef1766a76dee89a

SHA256
82e29daf64f1b69f7c403c0e945fa28ff792c0f934168560556e109d3fa0b430

SHA512
866b40c2ee2e9f5d9c506b0926782ef2da70a10e140fc12bfc6634b5ce024ea66ccd24e938b53209cb9a1b975622c178cb6345e6f91162e2fdb5e987e223ee6f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/512-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/512-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/804-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/804-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-233-0x0000000004FF0000-0x000000000514F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-128-0x0000000004FC0000-0x000000000511F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-127-0x0000000004FC0000-0x000000000511F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-234-0x0000000004FF0000-0x000000000514F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-190-0x0000000003C50000-0x0000000003DAF000-memory.dmp

Filesize
1.4MB

Download
memory/1740-189-0x0000000003C50000-0x0000000003DAF000-memory.dmp

Filesize
1.4MB

Download
memory/1812-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1812-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-144-0x0000000005200000-0x000000000535F000-memory.dmp

Filesize
1.4MB

Download
memory/1984-45-0x0000000004000000-0x000000000415F000-memory.dmp

Filesize
1.4MB

Download
memory/1984-56-0x0000000003FF0000-0x000000000414F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-221-0x0000000003BF0000-0x0000000003D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-222-0x0000000003BF0000-0x0000000003D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-64-0x0000000005140000-0x000000000529F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-87-0x0000000005350000-0x00000000054AF000-memory.dmp

Filesize
1.4MB

Download
memory/2056-73-0x0000000005300000-0x000000000545F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-155-0x0000000003CF0000-0x0000000003E4F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-171-0x0000000005440000-0x000000000559F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-159-0x00000000052D0000-0x000000000542F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-209-0x0000000003D20000-0x0000000003E7F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-211-0x0000000003D20000-0x0000000003E7F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-201-0x0000000003D90000-0x0000000003EEF000-memory.dmp

Filesize
1.4MB

Download
memory/2564-199-0x0000000003D90000-0x0000000003EEF000-memory.dmp

Filesize
1.4MB

Download
memory/2636-112-0x00000000052B0000-0x000000000540F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-25-0x0000000004EF0000-0x000000000504F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-179-0x0000000005230000-0x000000000538F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-180-0x0000000005230000-0x000000000538F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-241-0x0000000004000000-0x000000000415F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-240-0x0000000004000000-0x000000000415F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-246-0x0000000004000000-0x000000000415F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-16-0x0000000003E70000-0x0000000003FCF000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads