ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
Size

1.9MB
MD5

2b877325b7378ee08aac47ebb7b2ef99
SHA1

e9de57479257726a99c7782b3ab515f4ebff8466
SHA256

ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf
SHA512

bf0d083c8cb8e09bdefff4893b702e06a84824e27a0431064b2f7b08a644d98b30a3432357b5920ea8f6288a7fdc6840ccdea4d9d5b2be6a58a933b147334eaf
SSDEEP

49152:AN7pTHvqqv6axnlG4/cY9ACzRob9JH/QQOFoS:C9bTv6axnlG4/cY9cHxM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
2824	svchcst.exe
3944	svchcst.exe
3980	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
2824	svchcst.exe
2824	svchcst.exe
3944	svchcst.exe
3944	svchcst.exe
3980	svchcst.exe
3980	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2100	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	87
PID 2860 wrote to memory of 4628	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	88
PID 2860 wrote to memory of 2100	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	87
PID 2860 wrote to memory of 2100	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	87
PID 2860 wrote to memory of 4628	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	88
PID 2860 wrote to memory of 4628	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	88
PID 2860 wrote to memory of 608	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	86
PID 2860 wrote to memory of 608	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	86
PID 2860 wrote to memory of 608	2860	ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe	86
PID 608 wrote to memory of 2824	608	WScript.exe	97
PID 608 wrote to memory of 2824	608	WScript.exe	97
PID 608 wrote to memory of 2824	608	WScript.exe	97
PID 2100 wrote to memory of 3944	2100	WScript.exe	96
PID 2100 wrote to memory of 3944	2100	WScript.exe	96
PID 2100 wrote to memory of 3944	2100	WScript.exe	96
PID 4628 wrote to memory of 3980	4628	WScript.exe	98
PID 4628 wrote to memory of 3980	4628	WScript.exe	98
PID 4628 wrote to memory of 3980	4628	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe
"C:\Users\Admin\AppData\Local\Temp\ac8a1e9a0684aaa3c5e541d61f36394220fa0e7cb907d10c3308d5c5d656adbf.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
36875433e4fcc281b5aa46cd210f6e75

SHA1
91deceb48114184d540326a417207d5f97fd838f

SHA256
164dab3382ef05dc3cc0aa7b109a2f43a00a7aa7b2c85e269aa1d33de5db7781

SHA512
bc2046126eb9cf34ddec98c53238ef0692e44273639c725d0a93895e032c7befd585c69aee7e524b668712d900759c025c681c2692956d9a6accf349e99afda5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
36875433e4fcc281b5aa46cd210f6e75

SHA1
91deceb48114184d540326a417207d5f97fd838f

SHA256
164dab3382ef05dc3cc0aa7b109a2f43a00a7aa7b2c85e269aa1d33de5db7781

SHA512
bc2046126eb9cf34ddec98c53238ef0692e44273639c725d0a93895e032c7befd585c69aee7e524b668712d900759c025c681c2692956d9a6accf349e99afda5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
0864a9a1a926fe4843a3bcddc4708704

SHA1
f01f6c1d24144fa6ef746cca3dd81299633426ab

SHA256
737775e6bd59a579e592d6e3534811927c19ea38bad4873361c0a54fb2f9b2d4

SHA512
a6c7bc560041d8f7ebfaf245dd2ac93b28658d5190aa567e14b5ed0ad2282a147160f6b155d00922fe955b5031f35418a7fedf234df19ca7879340cd41a86b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
0864a9a1a926fe4843a3bcddc4708704

SHA1
f01f6c1d24144fa6ef746cca3dd81299633426ab

SHA256
737775e6bd59a579e592d6e3534811927c19ea38bad4873361c0a54fb2f9b2d4

SHA512
a6c7bc560041d8f7ebfaf245dd2ac93b28658d5190aa567e14b5ed0ad2282a147160f6b155d00922fe955b5031f35418a7fedf234df19ca7879340cd41a86b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
0864a9a1a926fe4843a3bcddc4708704

SHA1
f01f6c1d24144fa6ef746cca3dd81299633426ab

SHA256
737775e6bd59a579e592d6e3534811927c19ea38bad4873361c0a54fb2f9b2d4

SHA512
a6c7bc560041d8f7ebfaf245dd2ac93b28658d5190aa567e14b5ed0ad2282a147160f6b155d00922fe955b5031f35418a7fedf234df19ca7879340cd41a86b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
0864a9a1a926fe4843a3bcddc4708704

SHA1
f01f6c1d24144fa6ef746cca3dd81299633426ab

SHA256
737775e6bd59a579e592d6e3534811927c19ea38bad4873361c0a54fb2f9b2d4

SHA512
a6c7bc560041d8f7ebfaf245dd2ac93b28658d5190aa567e14b5ed0ad2282a147160f6b155d00922fe955b5031f35418a7fedf234df19ca7879340cd41a86b8f

Download Submit
memory/2860-0-0x0000000010000000-0x00000000100D2000-memory.dmp

Filesize
840KB

Download