03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3

General

Target

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
Size

1.1MB
MD5

c249482b38f979360a63e4b62e60f25e
SHA1

ac49a78a6cb38fe665ae99499936adb25f40d029
SHA256

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3
SHA512

d631b2219fcc344eda0cabe5ca3aa637c54e801ff57916323e076a38cb3bc1cbf5b76a2da07264562dcdef21d41bfeebe6f185be470e2be650fbf3b16fac10cb
SSDEEP

24576:aH0dl8myX9BgT2QoXFkrzkmmlSgRZbo0lG4Z8r7Qfbkiu5QG:a1aClSQlG4ZM7QzM5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1480 svchcst.exe
Executes dropped EXE 4 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid process

1480 svchcst.exe
3244 svchcst.exe
3336 svchcst.exe
2532 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1480	svchcst.exe

pid	process
1480	svchcst.exe
3244	svchcst.exe
3336	svchcst.exe
2532	svchcst.exe

Modifies registry class 7 IoCs

Processes:

WScript.exesvchcst.exeWScript.exeWScript.exe03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exeWScript.exesvchcst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exesvchcst.exe

pid	process
2872	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
2872	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe

pid process

2872 03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2872	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
2872	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
1480	svchcst.exe
1480	svchcst.exe
3244	svchcst.exe
3244	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
3336	svchcst.exe
3336	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2872 wrote to memory of 4588	2872	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 2872 wrote to memory of 4588	2872	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 2872 wrote to memory of 4588	2872	03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe	WScript.exe
PID 4588 wrote to memory of 1480	4588	WScript.exe	svchcst.exe
PID 4588 wrote to memory of 1480	4588	WScript.exe	svchcst.exe
PID 4588 wrote to memory of 1480	4588	WScript.exe	svchcst.exe
PID 1480 wrote to memory of 632	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 632	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 632	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 3856	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 3856	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 3856	1480	svchcst.exe	WScript.exe
PID 3856 wrote to memory of 3244	3856	WScript.exe	svchcst.exe
PID 3856 wrote to memory of 3244	3856	WScript.exe	svchcst.exe
PID 3856 wrote to memory of 3244	3856	WScript.exe	svchcst.exe
PID 3244 wrote to memory of 3968	3244	svchcst.exe	WScript.exe
PID 3244 wrote to memory of 3968	3244	svchcst.exe	WScript.exe
PID 3244 wrote to memory of 3968	3244	svchcst.exe	WScript.exe
PID 3244 wrote to memory of 3532	3244	svchcst.exe	WScript.exe
PID 3244 wrote to memory of 3532	3244	svchcst.exe	WScript.exe
PID 3244 wrote to memory of 3532	3244	svchcst.exe	WScript.exe
PID 3968 wrote to memory of 3336	3968	WScript.exe	svchcst.exe
PID 3968 wrote to memory of 3336	3968	WScript.exe	svchcst.exe
PID 3968 wrote to memory of 3336	3968	WScript.exe	svchcst.exe
PID 3532 wrote to memory of 2532	3532	WScript.exe	svchcst.exe
PID 3532 wrote to memory of 2532	3532	WScript.exe	svchcst.exe
PID 3532 wrote to memory of 2532	3532	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe
"C:\Users\Admin\AppData\Local\Temp\03b8b00e812f1f3fd75fffea2e3aa99f6595ca71aa5708aa0060ce1e7a61b8a3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
PID:632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
5944253330670b09abe9d9ede2b491f9

SHA1
1b2cf0452e2d16f9c10a034c3c4bcf0c6ee7f6a5

SHA256
38050adff6b28333d562e7bfe498bb007881a1cd48cac8b11537258358a68477

SHA512
ca6d57851fb874077676b9b560b5706ef2a103c3ce26e98b2e121645b33c372bff832837bffcc8a702e534d12f2151846495a52fa412f86e3c3032cf399faddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
05b07077ea5303bb25a68f9bbe203bd0

SHA1
6c0dab742516de3479353a117521fc898e905028

SHA256
839d731d909d3e3d8014dc85bed55a28e571a2d0cd5677f5937d55d4dfc7624b

SHA512
47c037f4b00647594c26c1f5e179a2105de7fc5088b633a95cea541901905891911f88e7c9cde4da3d9b658394aef137d48ca904f6ffb100da03f507ac6202b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
dd592667345e395c6cb0a181bfe73479

SHA1
2ee5ad1cb02969d5eba9e40489f71220da155dde

SHA256
e479dc966e9cf9752ee217246de16392f92a25778f57e6b2d7f40fb0037c2a3b

SHA512
274d4ad595998adcba931c776971efac4f660a4e1c3ee612cc25174029372a122bb4cace20edee6d84be4c44ff52c3aa006b6ef926f4c475bc72896f96dcc9ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
ed5ef1fefa7d395c902490e303359cea

SHA1
071ec82cf9524d5d619d9084ec4c3f55b3fb7a6b

SHA256
8a96c3194e64287ce2cdaa839b0d823f391544fcfee46156707c73d523fd0db9

SHA512
2844608b4f702af84b23a389debddb05f38e2d69905ffd2b61106cafde15a473567d7899fe284fd121241015308070eadae6c37481a0e36b48be01ce19e83f5d

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1480-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2872-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2872-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3244-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3336-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3336-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads