532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df

Analysis

max time kernel
128s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
Size

1.2MB
MD5

25a79b6583655e562f4fe7b2a71aa98d
SHA1

b2a5777f04e2ee8fe1088ed0f5433efb26396b81
SHA256

532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df
SHA512

3e7792c8dd0cbccd47f44782d55abf8f17e3d7172707bb8096b8a29b8bd1d222a7932fbb42a9ece36438e79424bd59532811f90f8ccbe93b6213a0512b591d51
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mww:voep0hUbSklG45lvMcw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3476	svchcst.exe
3248	svchcst.exe
3208	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
3248	svchcst.exe
3248	svchcst.exe
3476	svchcst.exe
3476	svchcst.exe
3208	svchcst.exe
3208	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3660	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	89
PID 4484 wrote to memory of 3660	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	89
PID 4484 wrote to memory of 3660	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	89
PID 4484 wrote to memory of 888	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	88
PID 4484 wrote to memory of 888	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	88
PID 4484 wrote to memory of 888	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	88
PID 4484 wrote to memory of 64	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	90
PID 4484 wrote to memory of 64	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	90
PID 4484 wrote to memory of 64	4484	532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe	90
PID 3660 wrote to memory of 3476	3660	WScript.exe	98
PID 3660 wrote to memory of 3476	3660	WScript.exe	98
PID 3660 wrote to memory of 3476	3660	WScript.exe	98
PID 888 wrote to memory of 3248	888	WScript.exe	99
PID 888 wrote to memory of 3248	888	WScript.exe	99
PID 888 wrote to memory of 3248	888	WScript.exe	99
PID 64 wrote to memory of 3208	64	WScript.exe	100
PID 64 wrote to memory of 3208	64	WScript.exe	100
PID 64 wrote to memory of 3208	64	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe
"C:\Users\Admin\AppData\Local\Temp\532e249a1cbaf533fbb21a913d2947e8f33ad5be8265afe3e2639e14ae4462df.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bd126f8bcddd5c28b12307e9a5777e98

SHA1
0860b0cc620fb3949def5ceae8db13d058978b61

SHA256
67dca83b98e30d22aa70980b9fab499a096330d846c7feb68b371c9466c7e7b9

SHA512
9e98de911e1c320ddbea463aa1c6d340551b184d3f98a1c4574fc31804a0aa07f543af4ae07b59973138cdb7662024475d6d91a364e46ea4c01dc05435ca7760

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bd126f8bcddd5c28b12307e9a5777e98

SHA1
0860b0cc620fb3949def5ceae8db13d058978b61

SHA256
67dca83b98e30d22aa70980b9fab499a096330d846c7feb68b371c9466c7e7b9

SHA512
9e98de911e1c320ddbea463aa1c6d340551b184d3f98a1c4574fc31804a0aa07f543af4ae07b59973138cdb7662024475d6d91a364e46ea4c01dc05435ca7760

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
47f53a875d58db0b1b4f68b710f2b14d

SHA1
e9ebffb18c65d28c3c6e6d784f23b28947a87eed

SHA256
cdb8406972dacb2cebb1e7c39d2f8f6a7cce6358007f9e8050da9b243e5cafd3

SHA512
cd00e6a588281c7658eb6aa2ab79fc19b7e803501066efa7bbf2b9d816ee277dc5aec1d1d2dd0292f333c478f8475729144181b14a7030a8a01edbb69d75f251

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
47f53a875d58db0b1b4f68b710f2b14d

SHA1
e9ebffb18c65d28c3c6e6d784f23b28947a87eed

SHA256
cdb8406972dacb2cebb1e7c39d2f8f6a7cce6358007f9e8050da9b243e5cafd3

SHA512
cd00e6a588281c7658eb6aa2ab79fc19b7e803501066efa7bbf2b9d816ee277dc5aec1d1d2dd0292f333c478f8475729144181b14a7030a8a01edbb69d75f251

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
47f53a875d58db0b1b4f68b710f2b14d

SHA1
e9ebffb18c65d28c3c6e6d784f23b28947a87eed

SHA256
cdb8406972dacb2cebb1e7c39d2f8f6a7cce6358007f9e8050da9b243e5cafd3

SHA512
cd00e6a588281c7658eb6aa2ab79fc19b7e803501066efa7bbf2b9d816ee277dc5aec1d1d2dd0292f333c478f8475729144181b14a7030a8a01edbb69d75f251

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
47f53a875d58db0b1b4f68b710f2b14d

SHA1
e9ebffb18c65d28c3c6e6d784f23b28947a87eed

SHA256
cdb8406972dacb2cebb1e7c39d2f8f6a7cce6358007f9e8050da9b243e5cafd3

SHA512
cd00e6a588281c7658eb6aa2ab79fc19b7e803501066efa7bbf2b9d816ee277dc5aec1d1d2dd0292f333c478f8475729144181b14a7030a8a01edbb69d75f251

Download Submit