0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080

Analysis

max time kernel
109s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
Size

1.1MB
MD5

fdb0b8642dd7fa7d36d11bb70f9b23e2
SHA1

38a26e6b4e38994e9412e14d7ce832c804b923e5
SHA256

0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080
SHA512

86cd12d15c0d3e9b588f34817e6bc9cf24838649f4997838a4b65500873d5c0616a329a48f5568416a8da334818a65b77ab49773d645df4b51198ed75050ff96
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
4152	svchcst.exe
2532	svchcst.exe
3876	svchcst.exe
2068	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
2532	svchcst.exe
2532	svchcst.exe
4152	svchcst.exe
4152	svchcst.exe
3876	svchcst.exe
2068	svchcst.exe
3876	svchcst.exe
2068	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1976	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	86
PID 2032 wrote to memory of 1976	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	86
PID 2032 wrote to memory of 1976	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	86
PID 2032 wrote to memory of 5116	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	88
PID 2032 wrote to memory of 5116	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	88
PID 2032 wrote to memory of 5116	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	88
PID 2032 wrote to memory of 1988	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	87
PID 2032 wrote to memory of 1988	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	87
PID 2032 wrote to memory of 1988	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	87
PID 2032 wrote to memory of 412	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	89
PID 2032 wrote to memory of 412	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	89
PID 2032 wrote to memory of 412	2032	0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe	89
PID 5116 wrote to memory of 4152	5116	WScript.exe	99
PID 5116 wrote to memory of 4152	5116	WScript.exe	99
PID 5116 wrote to memory of 4152	5116	WScript.exe	99
PID 412 wrote to memory of 2532	412	WScript.exe	96
PID 412 wrote to memory of 2532	412	WScript.exe	96
PID 412 wrote to memory of 2532	412	WScript.exe	96
PID 1988 wrote to memory of 3876	1988	WScript.exe	98
PID 1988 wrote to memory of 3876	1988	WScript.exe	98
PID 1988 wrote to memory of 3876	1988	WScript.exe	98
PID 1976 wrote to memory of 2068	1976	WScript.exe	97
PID 1976 wrote to memory of 2068	1976	WScript.exe	97
PID 1976 wrote to memory of 2068	1976	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe
"C:\Users\Admin\AppData\Local\Temp\0f8c656539eedcbba2153182bdb60a1ec96aa8bffed8e026a991e851525d7080.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
16343c32b00a98784b6e4a6682559a46

SHA1
75d82d885807cb7252ffa61c69b4fca3c9a4f0ac

SHA256
e86ff5b351465edd96776d9655c55dec3deb0c8b9ed3054fdad5dbdd4790db7a

SHA512
6ce2697cda0036b4c39dc27e14b814f34a93370dc163b9eb0de738eb85f63cb81e170319484cdac622abc5cd7c47bddb0c70c7a2e664a55e1c0a3fb3ccde519f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
16343c32b00a98784b6e4a6682559a46

SHA1
75d82d885807cb7252ffa61c69b4fca3c9a4f0ac

SHA256
e86ff5b351465edd96776d9655c55dec3deb0c8b9ed3054fdad5dbdd4790db7a

SHA512
6ce2697cda0036b4c39dc27e14b814f34a93370dc163b9eb0de738eb85f63cb81e170319484cdac622abc5cd7c47bddb0c70c7a2e664a55e1c0a3fb3ccde519f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4df8cf8126fd0c8686cf9d62385b27d

SHA1
3268a6562f2683156862aced944e0601bb0a9e63

SHA256
5cee57f693d5558d5b0cbe340845125d252305c4f2f59156be9624dbd46ffac5

SHA512
3e2f1301e1d5a3efc8f155389c0b29e7eff84c10e3bf4452105272bcbab93e5d0ab8fa8d8e0f69711b3bda3d319bc8432435b6be51dd459f1f97c119b640f671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4df8cf8126fd0c8686cf9d62385b27d

SHA1
3268a6562f2683156862aced944e0601bb0a9e63

SHA256
5cee57f693d5558d5b0cbe340845125d252305c4f2f59156be9624dbd46ffac5

SHA512
3e2f1301e1d5a3efc8f155389c0b29e7eff84c10e3bf4452105272bcbab93e5d0ab8fa8d8e0f69711b3bda3d319bc8432435b6be51dd459f1f97c119b640f671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4df8cf8126fd0c8686cf9d62385b27d

SHA1
3268a6562f2683156862aced944e0601bb0a9e63

SHA256
5cee57f693d5558d5b0cbe340845125d252305c4f2f59156be9624dbd46ffac5

SHA512
3e2f1301e1d5a3efc8f155389c0b29e7eff84c10e3bf4452105272bcbab93e5d0ab8fa8d8e0f69711b3bda3d319bc8432435b6be51dd459f1f97c119b640f671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4df8cf8126fd0c8686cf9d62385b27d

SHA1
3268a6562f2683156862aced944e0601bb0a9e63

SHA256
5cee57f693d5558d5b0cbe340845125d252305c4f2f59156be9624dbd46ffac5

SHA512
3e2f1301e1d5a3efc8f155389c0b29e7eff84c10e3bf4452105272bcbab93e5d0ab8fa8d8e0f69711b3bda3d319bc8432435b6be51dd459f1f97c119b640f671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4df8cf8126fd0c8686cf9d62385b27d

SHA1
3268a6562f2683156862aced944e0601bb0a9e63

SHA256
5cee57f693d5558d5b0cbe340845125d252305c4f2f59156be9624dbd46ffac5

SHA512
3e2f1301e1d5a3efc8f155389c0b29e7eff84c10e3bf4452105272bcbab93e5d0ab8fa8d8e0f69711b3bda3d319bc8432435b6be51dd459f1f97c119b640f671

Download Submit