14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
Size

1.1MB
MD5

3ece17e3b35a180a5fcb99893aecd62c
SHA1

5fd3530d5daade8268c031603e079c2870e124a3
SHA256

14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119
SHA512

21de7cc3df004fdffd78391c14b21050991d1808b46e0f7bcece25ed58347c6daf247087fe75969ff714ebf12a3506e5a62d380e82e52d69c364d466f330e1a0
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRv:g5ApamAUAQ/lG4lBmFAvZv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2720	svchcst.exe
3012	svchcst.exe
2896	svchcst.exe

Loads dropped DLL 6 IoCs

pid	Process
2864	WScript.exe
2864	WScript.exe
780	WScript.exe
780	WScript.exe
524	WScript.exe
524	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2720	svchcst.exe
2720	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2864	2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	28
PID 2384 wrote to memory of 2864	2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	28
PID 2384 wrote to memory of 2864	2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	28
PID 2384 wrote to memory of 2864	2384	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	28
PID 2864 wrote to memory of 2720	2864	WScript.exe	30
PID 2864 wrote to memory of 2720	2864	WScript.exe	30
PID 2864 wrote to memory of 2720	2864	WScript.exe	30
PID 2864 wrote to memory of 2720	2864	WScript.exe	30
PID 2720 wrote to memory of 524	2720	svchcst.exe	31
PID 2720 wrote to memory of 524	2720	svchcst.exe	31
PID 2720 wrote to memory of 524	2720	svchcst.exe	31
PID 2720 wrote to memory of 524	2720	svchcst.exe	31
PID 2720 wrote to memory of 780	2720	svchcst.exe	32
PID 2720 wrote to memory of 780	2720	svchcst.exe	32
PID 2720 wrote to memory of 780	2720	svchcst.exe	32
PID 2720 wrote to memory of 780	2720	svchcst.exe	32
PID 780 wrote to memory of 3012	780	WScript.exe	34
PID 780 wrote to memory of 3012	780	WScript.exe	34
PID 780 wrote to memory of 3012	780	WScript.exe	34
PID 780 wrote to memory of 3012	780	WScript.exe	34
PID 524 wrote to memory of 2896	524	WScript.exe	33
PID 524 wrote to memory of 2896	524	WScript.exe	33
PID 524 wrote to memory of 2896	524	WScript.exe	33
PID 524 wrote to memory of 2896	524	WScript.exe	33

C:\Users\Admin\AppData\Local\Temp\14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
"C:\Users\Admin\AppData\Local\Temp\14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:524
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2896
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9ac80b7c42f98d270e39e21b4dcbbe9c

SHA1
21a4298b2061b2d005c6761aaf06921db241817a

SHA256
a7228cd4108f26ff2d80ec6c8a0841cc3e3fa861d4b836d12a9f1d970354bf94

SHA512
fa73374b7c13a8bc7ddd04405b7662ad56ab8e804a2ffdad99487fd02d95d54013a22a78fd40bb90bbae5f36381e0dda8796106f9be268e92602fb991469294b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5073a2295258ef9e7a16979499092b9f

SHA1
fda475c88dae8f90494f382149a727f73731947e

SHA256
d554efe310ce950fd288daa25afcbbaf553836a613487cba63e1aeb1490d02b1

SHA512
4733c3d57f404d1f4c80baf189c62d688c1f278c9c0d8e5c2a7da8bf4195b9dc61d475c648cb094234dd02fe49289c9b76a91e4d8e3656a95e62bad3e6293e94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5073a2295258ef9e7a16979499092b9f

SHA1
fda475c88dae8f90494f382149a727f73731947e

SHA256
d554efe310ce950fd288daa25afcbbaf553836a613487cba63e1aeb1490d02b1

SHA512
4733c3d57f404d1f4c80baf189c62d688c1f278c9c0d8e5c2a7da8bf4195b9dc61d475c648cb094234dd02fe49289c9b76a91e4d8e3656a95e62bad3e6293e94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9e02848a61ce0a8a3730bad63264105

SHA1
10c63233c12bcd3ddb64d09ee74d841066f91322

SHA256
2be821d484090a929ce5da8b7aa6a1510ff66ff66ace151708551ebd3b4fb1e4

SHA512
b211b86a2f3479d1028a1d7a22ac2f7a870fa13cef20a7fe91f5f43f114b92e0e4225d95410d242b57f2fd2c6d10fca7f2fcbd576ef93f75ed57f5e156d0b728

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9e02848a61ce0a8a3730bad63264105

SHA1
10c63233c12bcd3ddb64d09ee74d841066f91322

SHA256
2be821d484090a929ce5da8b7aa6a1510ff66ff66ace151708551ebd3b4fb1e4

SHA512
b211b86a2f3479d1028a1d7a22ac2f7a870fa13cef20a7fe91f5f43f114b92e0e4225d95410d242b57f2fd2c6d10fca7f2fcbd576ef93f75ed57f5e156d0b728

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9e02848a61ce0a8a3730bad63264105

SHA1
10c63233c12bcd3ddb64d09ee74d841066f91322

SHA256
2be821d484090a929ce5da8b7aa6a1510ff66ff66ace151708551ebd3b4fb1e4

SHA512
b211b86a2f3479d1028a1d7a22ac2f7a870fa13cef20a7fe91f5f43f114b92e0e4225d95410d242b57f2fd2c6d10fca7f2fcbd576ef93f75ed57f5e156d0b728

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5073a2295258ef9e7a16979499092b9f

SHA1
fda475c88dae8f90494f382149a727f73731947e

SHA256
d554efe310ce950fd288daa25afcbbaf553836a613487cba63e1aeb1490d02b1

SHA512
4733c3d57f404d1f4c80baf189c62d688c1f278c9c0d8e5c2a7da8bf4195b9dc61d475c648cb094234dd02fe49289c9b76a91e4d8e3656a95e62bad3e6293e94

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5073a2295258ef9e7a16979499092b9f

SHA1
fda475c88dae8f90494f382149a727f73731947e

SHA256
d554efe310ce950fd288daa25afcbbaf553836a613487cba63e1aeb1490d02b1

SHA512
4733c3d57f404d1f4c80baf189c62d688c1f278c9c0d8e5c2a7da8bf4195b9dc61d475c648cb094234dd02fe49289c9b76a91e4d8e3656a95e62bad3e6293e94

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9e02848a61ce0a8a3730bad63264105

SHA1
10c63233c12bcd3ddb64d09ee74d841066f91322

SHA256
2be821d484090a929ce5da8b7aa6a1510ff66ff66ace151708551ebd3b4fb1e4

SHA512
b211b86a2f3479d1028a1d7a22ac2f7a870fa13cef20a7fe91f5f43f114b92e0e4225d95410d242b57f2fd2c6d10fca7f2fcbd576ef93f75ed57f5e156d0b728

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9e02848a61ce0a8a3730bad63264105

SHA1
10c63233c12bcd3ddb64d09ee74d841066f91322

SHA256
2be821d484090a929ce5da8b7aa6a1510ff66ff66ace151708551ebd3b4fb1e4

SHA512
b211b86a2f3479d1028a1d7a22ac2f7a870fa13cef20a7fe91f5f43f114b92e0e4225d95410d242b57f2fd2c6d10fca7f2fcbd576ef93f75ed57f5e156d0b728

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9e02848a61ce0a8a3730bad63264105

SHA1
10c63233c12bcd3ddb64d09ee74d841066f91322

SHA256
2be821d484090a929ce5da8b7aa6a1510ff66ff66ace151708551ebd3b4fb1e4

SHA512
b211b86a2f3479d1028a1d7a22ac2f7a870fa13cef20a7fe91f5f43f114b92e0e4225d95410d242b57f2fd2c6d10fca7f2fcbd576ef93f75ed57f5e156d0b728

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9e02848a61ce0a8a3730bad63264105

SHA1
10c63233c12bcd3ddb64d09ee74d841066f91322

SHA256
2be821d484090a929ce5da8b7aa6a1510ff66ff66ace151708551ebd3b4fb1e4

SHA512
b211b86a2f3479d1028a1d7a22ac2f7a870fa13cef20a7fe91f5f43f114b92e0e4225d95410d242b57f2fd2c6d10fca7f2fcbd576ef93f75ed57f5e156d0b728

Download Submit