1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
Size

1.9MB
MD5

f845215977ee999c22d27ae80657f282
SHA1

59d792ecb84bc1607a705b0944141de33a15dc25
SHA256

1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04
SHA512

2b72416041bc79aea4478d19145e7eb142fb23124a5289506e442a1e86e31103cb409c8009acb9e316145681f92042355d0a803727e98a63d88ad1bd5a65c628
SSDEEP

49152:AN7pTHvqqv6axnlG4/cY9ACzRob9JH/QQOFoE:C9bTv6axnlG4/cY9cHxq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1544	svchcst.exe
3908	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
1544	svchcst.exe
1544	svchcst.exe
3908	svchcst.exe
3908	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4628	4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe	86
PID 4224 wrote to memory of 4628	4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe	86
PID 4224 wrote to memory of 4628	4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe	86
PID 4224 wrote to memory of 2012	4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe	87
PID 4224 wrote to memory of 2012	4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe	87
PID 4224 wrote to memory of 2012	4224	1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe	87
PID 4628 wrote to memory of 1544	4628	WScript.exe	95
PID 4628 wrote to memory of 1544	4628	WScript.exe	95
PID 4628 wrote to memory of 1544	4628	WScript.exe	95
PID 2012 wrote to memory of 3908	2012	WScript.exe	96
PID 2012 wrote to memory of 3908	2012	WScript.exe	96
PID 2012 wrote to memory of 3908	2012	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe
"C:\Users\Admin\AppData\Local\Temp\1b98027906b6982150cfa927b63b5c6011567ec6dd6ff64ae8c8267a5862fa04.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ba09d2300baf6513fdc4129c40578e32

SHA1
5a4a37de2e57aa5b9e352284137877f88bf53cc7

SHA256
2494956f5c15ea87d9e2eebd18676040d00c198c761e2df162c714c616edc474

SHA512
e7617fa99dcc63ed4c0e3911e1f9290b8f34e6cfef833651f7595f8daf484930c9be5679a380f150b2ba9f4ad7f31a47963ef7194276027774d8caf82105b6f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ba09d2300baf6513fdc4129c40578e32

SHA1
5a4a37de2e57aa5b9e352284137877f88bf53cc7

SHA256
2494956f5c15ea87d9e2eebd18676040d00c198c761e2df162c714c616edc474

SHA512
e7617fa99dcc63ed4c0e3911e1f9290b8f34e6cfef833651f7595f8daf484930c9be5679a380f150b2ba9f4ad7f31a47963ef7194276027774d8caf82105b6f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
a91cb3c1de10727ff3c670a4b47ace22

SHA1
eb7c4afefea4d78b8a8912d1415c5f527e0eddf0

SHA256
84b5c252cebd10214ac69644c5cfcdaf7afa0c9ace1bdd13b884a2ed0de04329

SHA512
036e8cc6ac3cd4fa5f47ea2b99115620a16764e1a50f47aa6a4b59d19c15f72fef293eb1b3eac861e9e6401a430f5ef22b3b23bae81f27aa08c974d5d01660a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
a91cb3c1de10727ff3c670a4b47ace22

SHA1
eb7c4afefea4d78b8a8912d1415c5f527e0eddf0

SHA256
84b5c252cebd10214ac69644c5cfcdaf7afa0c9ace1bdd13b884a2ed0de04329

SHA512
036e8cc6ac3cd4fa5f47ea2b99115620a16764e1a50f47aa6a4b59d19c15f72fef293eb1b3eac861e9e6401a430f5ef22b3b23bae81f27aa08c974d5d01660a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
a91cb3c1de10727ff3c670a4b47ace22

SHA1
eb7c4afefea4d78b8a8912d1415c5f527e0eddf0

SHA256
84b5c252cebd10214ac69644c5cfcdaf7afa0c9ace1bdd13b884a2ed0de04329

SHA512
036e8cc6ac3cd4fa5f47ea2b99115620a16764e1a50f47aa6a4b59d19c15f72fef293eb1b3eac861e9e6401a430f5ef22b3b23bae81f27aa08c974d5d01660a9

Download Submit
memory/4224-0-0x0000000010000000-0x00000000100D2000-memory.dmp

Filesize
840KB

Download