14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
Size

1.1MB
MD5

3ece17e3b35a180a5fcb99893aecd62c
SHA1

5fd3530d5daade8268c031603e079c2870e124a3
SHA256

14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119
SHA512

21de7cc3df004fdffd78391c14b21050991d1808b46e0f7bcece25ed58347c6daf247087fe75969ff714ebf12a3506e5a62d380e82e52d69c364d466f330e1a0
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRv:g5ApamAUAQ/lG4lBmFAvZv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4840	svchcst.exe
456	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe
4840	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
4840	svchcst.exe
4840	svchcst.exe
456	svchcst.exe
456	svchcst.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 4056	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	82
PID 2880 wrote to memory of 4056	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	82
PID 2880 wrote to memory of 4056	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	82
PID 2880 wrote to memory of 3680	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	83
PID 2880 wrote to memory of 3680	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	83
PID 2880 wrote to memory of 3680	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	83
PID 2880 wrote to memory of 3972	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	84
PID 2880 wrote to memory of 3972	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	84
PID 2880 wrote to memory of 3972	2880	14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe	84
PID 4056 wrote to memory of 4840	4056	WScript.exe	89
PID 4056 wrote to memory of 4840	4056	WScript.exe	89
PID 4056 wrote to memory of 4840	4056	WScript.exe	89
PID 3972 wrote to memory of 456	3972	WScript.exe	90
PID 3972 wrote to memory of 456	3972	WScript.exe	90
PID 3972 wrote to memory of 456	3972	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe
"C:\Users\Admin\AppData\Local\Temp\14c4106f3a12ea3795823177ade46e8fd81af059dff4d5aa6df863f4bb9f6119.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e20649ae17f1d35c1ada5e011ff49132

SHA1
7bb1dad19bb538b8a4ae4570543610c2761dc694

SHA256
9176c2de5e02bb169cb685e40506209a82deee11def991d12d57f5e8b80f0db5

SHA512
67c2ec86742fead669078b9b832aced9a7566b31a78d23f6d674c4d6d1b241e7c90b8f84cac55c10d41c4736cb9904ef45a66476b6055cf0e8220db9776032fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e20649ae17f1d35c1ada5e011ff49132

SHA1
7bb1dad19bb538b8a4ae4570543610c2761dc694

SHA256
9176c2de5e02bb169cb685e40506209a82deee11def991d12d57f5e8b80f0db5

SHA512
67c2ec86742fead669078b9b832aced9a7566b31a78d23f6d674c4d6d1b241e7c90b8f84cac55c10d41c4736cb9904ef45a66476b6055cf0e8220db9776032fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c8cbda826c4ffa715b14245731599f71

SHA1
c3bf65f403711da5726cfb2015bdbb29bd2109b4

SHA256
50a1cf4f38a01fd0e9bdfa6b84294f00a87092f8ecbd95e5d23b5f9280f588fc

SHA512
1a4968c7d24b45023adadfbd60ebf91812507457ed3be883a1f1b846871045dd26bf953a2e7088b905886e2be1f4de62a2dcf47b394f292f670b0903aec3f87d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c8cbda826c4ffa715b14245731599f71

SHA1
c3bf65f403711da5726cfb2015bdbb29bd2109b4

SHA256
50a1cf4f38a01fd0e9bdfa6b84294f00a87092f8ecbd95e5d23b5f9280f588fc

SHA512
1a4968c7d24b45023adadfbd60ebf91812507457ed3be883a1f1b846871045dd26bf953a2e7088b905886e2be1f4de62a2dcf47b394f292f670b0903aec3f87d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c8cbda826c4ffa715b14245731599f71

SHA1
c3bf65f403711da5726cfb2015bdbb29bd2109b4

SHA256
50a1cf4f38a01fd0e9bdfa6b84294f00a87092f8ecbd95e5d23b5f9280f588fc

SHA512
1a4968c7d24b45023adadfbd60ebf91812507457ed3be883a1f1b846871045dd26bf953a2e7088b905886e2be1f4de62a2dcf47b394f292f670b0903aec3f87d

Download Submit