733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe

Analysis

max time kernel
172s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
Size

1.1MB
MD5

7b0378229a616126732307655969b372
SHA1

55fc0c0b4df00ff97bd3afc4a54fde476ef3eb75
SHA256

733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe
SHA512

d1163fdddeb9586e484ffff49cfb1a2c306b2ad822e2276e6832daa92af753f3d5a8cf54cecb2a623d046614c2bda85a47f00be23271841a82dc1abd7f3080b2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzM5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
4640	svchcst.exe
2564	svchcst.exe
2868	svchcst.exe
372	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
4640	svchcst.exe
4640	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2868	svchcst.exe
372	svchcst.exe
372	svchcst.exe
2868	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4728	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	93
PID 1376 wrote to memory of 4728	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	93
PID 1376 wrote to memory of 4728	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	93
PID 1376 wrote to memory of 1652	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	94
PID 1376 wrote to memory of 1652	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	94
PID 1376 wrote to memory of 1652	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	94
PID 1376 wrote to memory of 544	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	92
PID 1376 wrote to memory of 544	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	92
PID 1376 wrote to memory of 544	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	92
PID 1376 wrote to memory of 3840	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	91
PID 1376 wrote to memory of 3840	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	91
PID 1376 wrote to memory of 3840	1376	733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe	91
PID 4728 wrote to memory of 4640	4728	WScript.exe	97
PID 4728 wrote to memory of 4640	4728	WScript.exe	97
PID 4728 wrote to memory of 4640	4728	WScript.exe	97
PID 3840 wrote to memory of 2564	3840	WScript.exe	101
PID 3840 wrote to memory of 2564	3840	WScript.exe	101
PID 3840 wrote to memory of 2564	3840	WScript.exe	101
PID 544 wrote to memory of 2868	544	WScript.exe	99
PID 544 wrote to memory of 2868	544	WScript.exe	99
PID 544 wrote to memory of 2868	544	WScript.exe	99
PID 1652 wrote to memory of 372	1652	WScript.exe	98
PID 1652 wrote to memory of 372	1652	WScript.exe	98
PID 1652 wrote to memory of 372	1652	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe
"C:\Users\Admin\AppData\Local\Temp\733bcdee3e7e2fae986390ba0418d6956e16e3c08b27d33e2141c20d939c4bfe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3f8eca42d2ff69756be0bedb789372a5

SHA1
c5a0191db4c4e68bedae97bd819da339cd2c8a7a

SHA256
b7348dbcc8d0959506b6bd79e192327069f9af82fb4aecb3b5e9e7fc5d9b49bc

SHA512
38fc65af5685597d3107dfcee54973d0e4b7efe77a9fb6b24abd75dac22730a4083035b85500fd7e03c1041994b981dbed87e5c729df5df441b624c6c4bd19c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3f8eca42d2ff69756be0bedb789372a5

SHA1
c5a0191db4c4e68bedae97bd819da339cd2c8a7a

SHA256
b7348dbcc8d0959506b6bd79e192327069f9af82fb4aecb3b5e9e7fc5d9b49bc

SHA512
38fc65af5685597d3107dfcee54973d0e4b7efe77a9fb6b24abd75dac22730a4083035b85500fd7e03c1041994b981dbed87e5c729df5df441b624c6c4bd19c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47072f58a9777576b6bbd09fa385e2ba

SHA1
93cd65c5cb21687e4a76ed731e0d5ddc49d872b4

SHA256
06cde68f78a51e5b0a7a4bdb36de21692295fc80409f1fdc93be6781f88bb69e

SHA512
565a59637ce67182912054fa5d79557439725a73702d3a44f62df3b12ecbbcf0152c92205be3c0c855336d34b2320cf0457a3486e1e4f07ac82930167bec8068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47072f58a9777576b6bbd09fa385e2ba

SHA1
93cd65c5cb21687e4a76ed731e0d5ddc49d872b4

SHA256
06cde68f78a51e5b0a7a4bdb36de21692295fc80409f1fdc93be6781f88bb69e

SHA512
565a59637ce67182912054fa5d79557439725a73702d3a44f62df3b12ecbbcf0152c92205be3c0c855336d34b2320cf0457a3486e1e4f07ac82930167bec8068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47072f58a9777576b6bbd09fa385e2ba

SHA1
93cd65c5cb21687e4a76ed731e0d5ddc49d872b4

SHA256
06cde68f78a51e5b0a7a4bdb36de21692295fc80409f1fdc93be6781f88bb69e

SHA512
565a59637ce67182912054fa5d79557439725a73702d3a44f62df3b12ecbbcf0152c92205be3c0c855336d34b2320cf0457a3486e1e4f07ac82930167bec8068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47072f58a9777576b6bbd09fa385e2ba

SHA1
93cd65c5cb21687e4a76ed731e0d5ddc49d872b4

SHA256
06cde68f78a51e5b0a7a4bdb36de21692295fc80409f1fdc93be6781f88bb69e

SHA512
565a59637ce67182912054fa5d79557439725a73702d3a44f62df3b12ecbbcf0152c92205be3c0c855336d34b2320cf0457a3486e1e4f07ac82930167bec8068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47072f58a9777576b6bbd09fa385e2ba

SHA1
93cd65c5cb21687e4a76ed731e0d5ddc49d872b4

SHA256
06cde68f78a51e5b0a7a4bdb36de21692295fc80409f1fdc93be6781f88bb69e

SHA512
565a59637ce67182912054fa5d79557439725a73702d3a44f62df3b12ecbbcf0152c92205be3c0c855336d34b2320cf0457a3486e1e4f07ac82930167bec8068

Download Submit