18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe
Size

1.9MB
MD5

eb3f54ca37020842ae8fd84743b7503a
SHA1

02d4feaccf1224ab54993ab8cb258caf1e5635ad
SHA256

18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a
SHA512

0c3770f526bf0418c11db903a3b815277d585b9c7b78ad097485eb1297ed58c050a8a4b073ad327778939fda578592629002122960a020b20fd970a14bf1bfce
SSDEEP

49152:AN7pTHvqqv6axnlG4/cY9ACzRob9JH/QQOFom:C9bTv6axnlG4/cY9cHxg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3020	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	svchcst.exe
3020	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2912	WScript.exe
2620	WScript.exe
2620	WScript.exe
2912	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe
2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe
2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe
3020	svchcst.exe
3020	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2620	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	29
PID 2124 wrote to memory of 2620	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	29
PID 2124 wrote to memory of 2620	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	29
PID 2124 wrote to memory of 2620	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	29
PID 2124 wrote to memory of 2912	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	28
PID 2124 wrote to memory of 2912	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	28
PID 2124 wrote to memory of 2912	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	28
PID 2124 wrote to memory of 2912	2124	18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe	28
PID 2620 wrote to memory of 3028	2620	WScript.exe	32
PID 2620 wrote to memory of 3028	2620	WScript.exe	32
PID 2620 wrote to memory of 3028	2620	WScript.exe	32
PID 2620 wrote to memory of 3028	2620	WScript.exe	32
PID 2912 wrote to memory of 3020	2912	WScript.exe	31
PID 2912 wrote to memory of 3020	2912	WScript.exe	31
PID 2912 wrote to memory of 3020	2912	WScript.exe	31
PID 2912 wrote to memory of 3020	2912	WScript.exe	31

C:\Users\Admin\AppData\Local\Temp\18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe
"C:\Users\Admin\AppData\Local\Temp\18f3b68478552699429c958a40157e92e24b698a1fdef6d3fb8fdd77968a522a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5d0bf0df07006c409294880cab3b314e

SHA1
c8e29540d5c4851e187557e88d6001e1de1eea1c

SHA256
23a2afe7a3ecc355ca1b6be205f18af50cdd86cbb691d5fba5b911f0b448e73c

SHA512
b100a76e11c7126ebc03a0d7ee370e344bee91a2cde30c1f1935b725b3caf9b307a4965b885322ab7977d810d340cca979aa5ebe03eea67a1e7a9aa0cad42851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5d0bf0df07006c409294880cab3b314e

SHA1
c8e29540d5c4851e187557e88d6001e1de1eea1c

SHA256
23a2afe7a3ecc355ca1b6be205f18af50cdd86cbb691d5fba5b911f0b448e73c

SHA512
b100a76e11c7126ebc03a0d7ee370e344bee91a2cde30c1f1935b725b3caf9b307a4965b885322ab7977d810d340cca979aa5ebe03eea67a1e7a9aa0cad42851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
121b2c9edcb38579309bcc155950b5ea

SHA1
4ea05fd99dbd37b49ebeccbba19d895508492a5c

SHA256
d2fd06791cdbf32c1cd1d3b884c344599dba84a6cd908405b89fb17afa08a0dc

SHA512
1208b4866b56499910eadbeb0fad6d05ccfd49f79841aa2865e6bc9eb97f2e58f3b6d1e243cd20184b05f28c0ba3e065e3e4f165a327b8b37d6c3f1a209cc3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
121b2c9edcb38579309bcc155950b5ea

SHA1
4ea05fd99dbd37b49ebeccbba19d895508492a5c

SHA256
d2fd06791cdbf32c1cd1d3b884c344599dba84a6cd908405b89fb17afa08a0dc

SHA512
1208b4866b56499910eadbeb0fad6d05ccfd49f79841aa2865e6bc9eb97f2e58f3b6d1e243cd20184b05f28c0ba3e065e3e4f165a327b8b37d6c3f1a209cc3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
121b2c9edcb38579309bcc155950b5ea

SHA1
4ea05fd99dbd37b49ebeccbba19d895508492a5c

SHA256
d2fd06791cdbf32c1cd1d3b884c344599dba84a6cd908405b89fb17afa08a0dc

SHA512
1208b4866b56499910eadbeb0fad6d05ccfd49f79841aa2865e6bc9eb97f2e58f3b6d1e243cd20184b05f28c0ba3e065e3e4f165a327b8b37d6c3f1a209cc3b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
121b2c9edcb38579309bcc155950b5ea

SHA1
4ea05fd99dbd37b49ebeccbba19d895508492a5c

SHA256
d2fd06791cdbf32c1cd1d3b884c344599dba84a6cd908405b89fb17afa08a0dc

SHA512
1208b4866b56499910eadbeb0fad6d05ccfd49f79841aa2865e6bc9eb97f2e58f3b6d1e243cd20184b05f28c0ba3e065e3e4f165a327b8b37d6c3f1a209cc3b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
121b2c9edcb38579309bcc155950b5ea

SHA1
4ea05fd99dbd37b49ebeccbba19d895508492a5c

SHA256
d2fd06791cdbf32c1cd1d3b884c344599dba84a6cd908405b89fb17afa08a0dc

SHA512
1208b4866b56499910eadbeb0fad6d05ccfd49f79841aa2865e6bc9eb97f2e58f3b6d1e243cd20184b05f28c0ba3e065e3e4f165a327b8b37d6c3f1a209cc3b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
121b2c9edcb38579309bcc155950b5ea

SHA1
4ea05fd99dbd37b49ebeccbba19d895508492a5c

SHA256
d2fd06791cdbf32c1cd1d3b884c344599dba84a6cd908405b89fb17afa08a0dc

SHA512
1208b4866b56499910eadbeb0fad6d05ccfd49f79841aa2865e6bc9eb97f2e58f3b6d1e243cd20184b05f28c0ba3e065e3e4f165a327b8b37d6c3f1a209cc3b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.9MB

MD5
121b2c9edcb38579309bcc155950b5ea

SHA1
4ea05fd99dbd37b49ebeccbba19d895508492a5c

SHA256
d2fd06791cdbf32c1cd1d3b884c344599dba84a6cd908405b89fb17afa08a0dc

SHA512
1208b4866b56499910eadbeb0fad6d05ccfd49f79841aa2865e6bc9eb97f2e58f3b6d1e243cd20184b05f28c0ba3e065e3e4f165a327b8b37d6c3f1a209cc3b9

Download Submit
memory/2124-0-0x0000000010000000-0x00000000100D2000-memory.dmp

Filesize
840KB

Download