2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09/10/2023, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe
Size

1.2MB
MD5

1e6f60c53575c1c30e263f7654c3bb23
SHA1

76ebeafd65f4d2cb762edff9e8cba36a095a0402
SHA256

2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5
SHA512

567043a34d7de1bc64c196b6a23b12d384bc8bb7fd822e8c45579d8ddeb61c6fe04600ecd708cf35e7f0322f550c20d9963b446104301de159ebe64fc0094c15
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mwl:voep0hUbSklG45lvMcl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
600	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
600	svchcst.exe
2568	svchcst.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe
3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe
600	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe
3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe
2568	svchcst.exe
2568	svchcst.exe
600	svchcst.exe
600	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2772	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	28
PID 3008 wrote to memory of 2772	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	28
PID 3008 wrote to memory of 2772	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	28
PID 3008 wrote to memory of 2772	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	28
PID 3008 wrote to memory of 2756	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	29
PID 3008 wrote to memory of 2756	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	29
PID 3008 wrote to memory of 2756	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	29
PID 3008 wrote to memory of 2756	3008	2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe	29
PID 2772 wrote to memory of 600	2772	WScript.exe	31
PID 2772 wrote to memory of 600	2772	WScript.exe	31
PID 2772 wrote to memory of 600	2772	WScript.exe	31
PID 2772 wrote to memory of 600	2772	WScript.exe	31
PID 2756 wrote to memory of 2568	2756	WScript.exe	32
PID 2756 wrote to memory of 2568	2756	WScript.exe	32
PID 2756 wrote to memory of 2568	2756	WScript.exe	32
PID 2756 wrote to memory of 2568	2756	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe
"C:\Users\Admin\AppData\Local\Temp\2fb096cb2979bf7773e057cfe5375f79afd93e8fa350616edc3aa6205f40cda5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
95925ba1ea8301065bdf0467f5b411f0

SHA1
d956aaf98a7ea610a7536c8181478a10c2f629c0

SHA256
0ad1ab57203063bf9d76bf82b9c0ea492a0a6294f733a301280e36706ed353b5

SHA512
f3c38305ef70e80ac22b86956535073db32ebfaa24b439e8018f145ff16d6502430c8a4481cc8934a5d1e708ecb33f52e78019817ddea32c96050454508dd6a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
95925ba1ea8301065bdf0467f5b411f0

SHA1
d956aaf98a7ea610a7536c8181478a10c2f629c0

SHA256
0ad1ab57203063bf9d76bf82b9c0ea492a0a6294f733a301280e36706ed353b5

SHA512
f3c38305ef70e80ac22b86956535073db32ebfaa24b439e8018f145ff16d6502430c8a4481cc8934a5d1e708ecb33f52e78019817ddea32c96050454508dd6a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
23d67e2a7b8bbd005cf0ba230610480d

SHA1
3b1aed3b1927889af647c5008861cacf7f637aa7

SHA256
3c83e7346a9fc0a4d6eaf7e157f8e6fee9a571c9149edebc41fab97c9b2c38bb

SHA512
4d5f1c7a82ef243d56d2e521c5b38195d86e01d8f4b2bc5fadc27b65f4822df1c27ba00d88b6a884d56f2881dd40794b1a34917b2724a6cb209f97afab1af92e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
23d67e2a7b8bbd005cf0ba230610480d

SHA1
3b1aed3b1927889af647c5008861cacf7f637aa7

SHA256
3c83e7346a9fc0a4d6eaf7e157f8e6fee9a571c9149edebc41fab97c9b2c38bb

SHA512
4d5f1c7a82ef243d56d2e521c5b38195d86e01d8f4b2bc5fadc27b65f4822df1c27ba00d88b6a884d56f2881dd40794b1a34917b2724a6cb209f97afab1af92e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
23d67e2a7b8bbd005cf0ba230610480d

SHA1
3b1aed3b1927889af647c5008861cacf7f637aa7

SHA256
3c83e7346a9fc0a4d6eaf7e157f8e6fee9a571c9149edebc41fab97c9b2c38bb

SHA512
4d5f1c7a82ef243d56d2e521c5b38195d86e01d8f4b2bc5fadc27b65f4822df1c27ba00d88b6a884d56f2881dd40794b1a34917b2724a6cb209f97afab1af92e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
23d67e2a7b8bbd005cf0ba230610480d

SHA1
3b1aed3b1927889af647c5008861cacf7f637aa7

SHA256
3c83e7346a9fc0a4d6eaf7e157f8e6fee9a571c9149edebc41fab97c9b2c38bb

SHA512
4d5f1c7a82ef243d56d2e521c5b38195d86e01d8f4b2bc5fadc27b65f4822df1c27ba00d88b6a884d56f2881dd40794b1a34917b2724a6cb209f97afab1af92e

Download Submit