2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c

Analysis

max time kernel
145s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
Size

1.1MB
MD5

e3d163ba2c7386991a022f9470120196
SHA1

2c3ba2c9d5f05288b690ac6483bf9fe069de4896
SHA256

2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c
SHA512

b472ef51c01858b3a90660636c1f6c66eb9b63a8a9998ff1e83ec9732e9190856210618e6933fbc8c03b7e65480e9d4b0b536bb38e9aa10be249d577b9b75f5f
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRE:g5ApamAUAQ/lG4lBmFAvZE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
4184	svchcst.exe
4388	svchcst.exe
1096	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
4388	svchcst.exe
4388	svchcst.exe
4184	svchcst.exe
4184	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4676	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	87
PID 4984 wrote to memory of 2744	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	86
PID 4984 wrote to memory of 4676	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	87
PID 4984 wrote to memory of 4676	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	87
PID 4984 wrote to memory of 2744	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	86
PID 4984 wrote to memory of 2744	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	86
PID 4984 wrote to memory of 4804	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	88
PID 4984 wrote to memory of 4804	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	88
PID 4984 wrote to memory of 4804	4984	2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe	88
PID 4804 wrote to memory of 4184	4804	WScript.exe	93
PID 2744 wrote to memory of 4388	2744	WScript.exe	94
PID 4804 wrote to memory of 4184	4804	WScript.exe	93
PID 4804 wrote to memory of 4184	4804	WScript.exe	93
PID 2744 wrote to memory of 4388	2744	WScript.exe	94
PID 2744 wrote to memory of 4388	2744	WScript.exe	94
PID 4676 wrote to memory of 1096	4676	WScript.exe	95
PID 4676 wrote to memory of 1096	4676	WScript.exe	95
PID 4676 wrote to memory of 1096	4676	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe
"C:\Users\Admin\AppData\Local\Temp\2207b93573814da7eedf5519460cbfc2e350e74256ae4326d33f1849aa5ab91c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3598dc70ea406621199810485495db0e

SHA1
7598151ddceb6dcd646132bb24ae56253700cb0b

SHA256
222b64381110d342f607464245524f1ff1ad915cfb7514c1063ba25202f711dc

SHA512
6d0b545f820454001cf7487d2f7be801ea9c94bda283fdca862594071698b3ad34e3d41674e599a78e399f1de32ed5e95d5256697d90951f53001c6433205d67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3598dc70ea406621199810485495db0e

SHA1
7598151ddceb6dcd646132bb24ae56253700cb0b

SHA256
222b64381110d342f607464245524f1ff1ad915cfb7514c1063ba25202f711dc

SHA512
6d0b545f820454001cf7487d2f7be801ea9c94bda283fdca862594071698b3ad34e3d41674e599a78e399f1de32ed5e95d5256697d90951f53001c6433205d67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1a2aaed763a4091364a36837425c18bd

SHA1
988db7f5aa9a5df83478d0655e9dfd009755610e

SHA256
5c415facddd241c4ea2443880ec89687e52df3f36beaf8d5d43a3878af88a0bd

SHA512
3637eafdc1145a76cdf12d41b536c41b4dac599901ce35eee2776c5908db252ea3a2e03dfaf87161eb47caac948dd08d64455dafa58bf6a94f08d478b7866e11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1a2aaed763a4091364a36837425c18bd

SHA1
988db7f5aa9a5df83478d0655e9dfd009755610e

SHA256
5c415facddd241c4ea2443880ec89687e52df3f36beaf8d5d43a3878af88a0bd

SHA512
3637eafdc1145a76cdf12d41b536c41b4dac599901ce35eee2776c5908db252ea3a2e03dfaf87161eb47caac948dd08d64455dafa58bf6a94f08d478b7866e11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1a2aaed763a4091364a36837425c18bd

SHA1
988db7f5aa9a5df83478d0655e9dfd009755610e

SHA256
5c415facddd241c4ea2443880ec89687e52df3f36beaf8d5d43a3878af88a0bd

SHA512
3637eafdc1145a76cdf12d41b536c41b4dac599901ce35eee2776c5908db252ea3a2e03dfaf87161eb47caac948dd08d64455dafa58bf6a94f08d478b7866e11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1a2aaed763a4091364a36837425c18bd

SHA1
988db7f5aa9a5df83478d0655e9dfd009755610e

SHA256
5c415facddd241c4ea2443880ec89687e52df3f36beaf8d5d43a3878af88a0bd

SHA512
3637eafdc1145a76cdf12d41b536c41b4dac599901ce35eee2776c5908db252ea3a2e03dfaf87161eb47caac948dd08d64455dafa58bf6a94f08d478b7866e11

Download Submit