b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe
Size

1.2MB
MD5

6a4028b7d5cfabce484c2e340696a96f
SHA1

1e68ca70aacd00fc24bac10c530d28726e184455
SHA256

b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388
SHA512

d71f5886e2b92ae9930235084d0e912830fa894ddc4eb91bdda2b6e49d0d8aed8fca8dd47efc290bf87a316bd15ceb25ed1b899c8386af3d5f7802d669f6be72
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mwc:voep0hUbSklG45lvMcc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1120	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1120	svchcst.exe
2480	svchcst.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	WScript.exe
2656	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe
2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe
2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe
1120	svchcst.exe
1120	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2876	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	29
PID 2696 wrote to memory of 2876	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	29
PID 2696 wrote to memory of 2876	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	29
PID 2696 wrote to memory of 2876	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	29
PID 2696 wrote to memory of 2656	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	28
PID 2696 wrote to memory of 2656	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	28
PID 2696 wrote to memory of 2656	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	28
PID 2696 wrote to memory of 2656	2696	b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe	28
PID 2876 wrote to memory of 2480	2876	WScript.exe	32
PID 2876 wrote to memory of 2480	2876	WScript.exe	32
PID 2876 wrote to memory of 2480	2876	WScript.exe	32
PID 2876 wrote to memory of 2480	2876	WScript.exe	32
PID 2656 wrote to memory of 1120	2656	WScript.exe	31
PID 2656 wrote to memory of 1120	2656	WScript.exe	31
PID 2656 wrote to memory of 1120	2656	WScript.exe	31
PID 2656 wrote to memory of 1120	2656	WScript.exe	31

C:\Users\Admin\AppData\Local\Temp\b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe
"C:\Users\Admin\AppData\Local\Temp\b1d306aa7b9a1c8e96f69f0f79f25a6f00a45bd7277021d570cf4fa21169e388.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
23838b02bc0b342473f176c555bd8bdc

SHA1
4ca76b32f6bbaeb2bf2ff5d1e58904ff98cc16c2

SHA256
8a6467d907d575807bb9033443160ccee104a161e201784b27131da1e960d97f

SHA512
bf0c1f04224dc3f360860f7e9001c1bcbd008856ff55a52ba96e322b9826f4024c5dd64d7eec383487e3d5eb967fda0fda7de20c7d5353ee950db116b2d9c430

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
23838b02bc0b342473f176c555bd8bdc

SHA1
4ca76b32f6bbaeb2bf2ff5d1e58904ff98cc16c2

SHA256
8a6467d907d575807bb9033443160ccee104a161e201784b27131da1e960d97f

SHA512
bf0c1f04224dc3f360860f7e9001c1bcbd008856ff55a52ba96e322b9826f4024c5dd64d7eec383487e3d5eb967fda0fda7de20c7d5353ee950db116b2d9c430

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
558c0f6d1c3c2faa3b6853b666883a5e

SHA1
695f2d4aaa5e100a7f325d8414825123219d2204

SHA256
48f43cedc6624ed7c8837ec49bd67ce1270b8e64ce68193b9867a45da065215d

SHA512
a643d424993b391782513468c469e9eb7a222d861a4fa4b46d5ab40103cf80e8faaba55d21b18471ebcd255b206e2779edbe9990d1ddcecdccb432b0a1501df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
558c0f6d1c3c2faa3b6853b666883a5e

SHA1
695f2d4aaa5e100a7f325d8414825123219d2204

SHA256
48f43cedc6624ed7c8837ec49bd67ce1270b8e64ce68193b9867a45da065215d

SHA512
a643d424993b391782513468c469e9eb7a222d861a4fa4b46d5ab40103cf80e8faaba55d21b18471ebcd255b206e2779edbe9990d1ddcecdccb432b0a1501df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
558c0f6d1c3c2faa3b6853b666883a5e

SHA1
695f2d4aaa5e100a7f325d8414825123219d2204

SHA256
48f43cedc6624ed7c8837ec49bd67ce1270b8e64ce68193b9867a45da065215d

SHA512
a643d424993b391782513468c469e9eb7a222d861a4fa4b46d5ab40103cf80e8faaba55d21b18471ebcd255b206e2779edbe9990d1ddcecdccb432b0a1501df0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
558c0f6d1c3c2faa3b6853b666883a5e

SHA1
695f2d4aaa5e100a7f325d8414825123219d2204

SHA256
48f43cedc6624ed7c8837ec49bd67ce1270b8e64ce68193b9867a45da065215d

SHA512
a643d424993b391782513468c469e9eb7a222d861a4fa4b46d5ab40103cf80e8faaba55d21b18471ebcd255b206e2779edbe9990d1ddcecdccb432b0a1501df0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
558c0f6d1c3c2faa3b6853b666883a5e

SHA1
695f2d4aaa5e100a7f325d8414825123219d2204

SHA256
48f43cedc6624ed7c8837ec49bd67ce1270b8e64ce68193b9867a45da065215d

SHA512
a643d424993b391782513468c469e9eb7a222d861a4fa4b46d5ab40103cf80e8faaba55d21b18471ebcd255b206e2779edbe9990d1ddcecdccb432b0a1501df0

Download Submit