3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 08:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
Size

1.1MB
MD5

4c8f6b4e6cc6d938861516634fc09d6d
SHA1

c087798109c8a308aaf64262d69933f08c3361e5
SHA256

3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f
SHA512

9730bf9a9940c4975634f770c1fd1280f939808c806dece9c29cc4c8924a58ce3280967d45484bd6ec34e34a3abda080455007ca80a6d5ac9c490fff6e938c9a
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRS:g5ApamAUAQ/lG4lBmFAvZS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	svchcst.exe
4640	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
1712	svchcst.exe
1712	svchcst.exe
4640	svchcst.exe
4640	svchcst.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1464	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	83
PID 1128 wrote to memory of 1464	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	83
PID 1128 wrote to memory of 1464	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	83
PID 1128 wrote to memory of 1484	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	82
PID 1128 wrote to memory of 1484	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	82
PID 1128 wrote to memory of 1484	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	82
PID 1128 wrote to memory of 4700	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	84
PID 1128 wrote to memory of 4700	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	84
PID 1128 wrote to memory of 4700	1128	3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe	84
PID 1484 wrote to memory of 1712	1484	WScript.exe	91
PID 1484 wrote to memory of 1712	1484	WScript.exe	91
PID 1484 wrote to memory of 1712	1484	WScript.exe	91
PID 1464 wrote to memory of 4640	1464	WScript.exe	90
PID 1464 wrote to memory of 4640	1464	WScript.exe	90
PID 1464 wrote to memory of 4640	1464	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe
"C:\Users\Admin\AppData\Local\Temp\3fe031b70d06316e2a9d4224fb1345d81aee91c2b81afbe8b7ab484da93be25f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
686a5c8a70e9d56aed4635616c40d07f

SHA1
4fe15351f9c1739468f5ae709ce54eafc44d94ea

SHA256
87b023e05799cabdf0153bbe4fd524a10c00012a4ecbe1c5adab0b8fcee4647f

SHA512
3060819fadedfd4cd58023bc9e55c24475dc70211d421af7ed9b9aa593f6fcdf9883058c9908b8d443c588a7549d846ca82fbd12ba868a137bf4408ac70166a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
686a5c8a70e9d56aed4635616c40d07f

SHA1
4fe15351f9c1739468f5ae709ce54eafc44d94ea

SHA256
87b023e05799cabdf0153bbe4fd524a10c00012a4ecbe1c5adab0b8fcee4647f

SHA512
3060819fadedfd4cd58023bc9e55c24475dc70211d421af7ed9b9aa593f6fcdf9883058c9908b8d443c588a7549d846ca82fbd12ba868a137bf4408ac70166a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da0e6bfbd5c8a3d4b209e0754d74f1ed

SHA1
c42b543246b865c35ce3e9a539396a8e9787c5fc

SHA256
745cef21b2efc9aac3636aa884fd5a12b1f98eeb44290776aff3066f2f9b4707

SHA512
64a45637be72e90ec81af670b4fbade92f25164ced5a5ef42424b72784386d5d4b1a3d7537164da45297f53d3c962724f31e5e0046dff38b20a2511aa13ecf26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da0e6bfbd5c8a3d4b209e0754d74f1ed

SHA1
c42b543246b865c35ce3e9a539396a8e9787c5fc

SHA256
745cef21b2efc9aac3636aa884fd5a12b1f98eeb44290776aff3066f2f9b4707

SHA512
64a45637be72e90ec81af670b4fbade92f25164ced5a5ef42424b72784386d5d4b1a3d7537164da45297f53d3c962724f31e5e0046dff38b20a2511aa13ecf26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da0e6bfbd5c8a3d4b209e0754d74f1ed

SHA1
c42b543246b865c35ce3e9a539396a8e9787c5fc

SHA256
745cef21b2efc9aac3636aa884fd5a12b1f98eeb44290776aff3066f2f9b4707

SHA512
64a45637be72e90ec81af670b4fbade92f25164ced5a5ef42424b72784386d5d4b1a3d7537164da45297f53d3c962724f31e5e0046dff38b20a2511aa13ecf26

Download Submit