0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe
Size

1.2MB
MD5

111ab649301673ac41484b2edd364abf
SHA1

f44910e3dc0d431a5907b12f9cfdd1e772dcbdc6
SHA256

0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159
SHA512

696b1f5ee13278a069fbc70488f41d8b2a2a30f05209d66452b81485ae924b615f2eec708468f9d215181ae06cc7716555ffdc691d8a967074ca677651adeaeb
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mw3:voep0hUbSklG45lvMc3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2156	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	svchcst.exe
2140	svchcst.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe
1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe
1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe
2156	svchcst.exe
2156	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2648	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	29
PID 1884 wrote to memory of 2648	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	29
PID 1884 wrote to memory of 2648	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	29
PID 1884 wrote to memory of 2648	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	29
PID 1884 wrote to memory of 2716	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	28
PID 1884 wrote to memory of 2716	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	28
PID 1884 wrote to memory of 2716	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	28
PID 1884 wrote to memory of 2716	1884	0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe	28
PID 2648 wrote to memory of 2156	2648	WScript.exe	31
PID 2648 wrote to memory of 2156	2648	WScript.exe	31
PID 2648 wrote to memory of 2156	2648	WScript.exe	31
PID 2648 wrote to memory of 2156	2648	WScript.exe	31
PID 2716 wrote to memory of 2140	2716	WScript.exe	32
PID 2716 wrote to memory of 2140	2716	WScript.exe	32
PID 2716 wrote to memory of 2140	2716	WScript.exe	32
PID 2716 wrote to memory of 2140	2716	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe
"C:\Users\Admin\AppData\Local\Temp\0926336a0c8fbadf42911e6eea6b0a0525ab7c1a6885c40fc43d37ac9b520159.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1c479aeab1989b9f16bc2c50d3eb948d

SHA1
9d60e40aa0fa64db277aa80411e50e4dfecb7ad5

SHA256
5f242f9c215a89767be34420055f8be329c51f80dbcf46e3b2493946572d16ff

SHA512
05d1457c939d73cbf77351b87b4359eb70f6d72cc9e022f80c1bd0d8bf6c750ec6718f4d39717ce031ca749b8b44ab5e2914d36cdca48694a210ab52bb7a39d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1c479aeab1989b9f16bc2c50d3eb948d

SHA1
9d60e40aa0fa64db277aa80411e50e4dfecb7ad5

SHA256
5f242f9c215a89767be34420055f8be329c51f80dbcf46e3b2493946572d16ff

SHA512
05d1457c939d73cbf77351b87b4359eb70f6d72cc9e022f80c1bd0d8bf6c750ec6718f4d39717ce031ca749b8b44ab5e2914d36cdca48694a210ab52bb7a39d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c3f5beb10e0d4906b2fa1269e9a2c8f3

SHA1
9e889472f4f1da1cb0b608e0b13a813697a2c5c3

SHA256
d3bf0de6d0a940e792a27adeb7058967e8a3f9d181de2a6e0caac9909c460e6e

SHA512
74ab7ffe5054c7fa2e4acd9533f94a61c9ddd18ddf12873ac8a421b69d61d34dd9d8537aa61d3cee4709f0c6445e9fabde5a1b2d03e900290cf35c169c38ddee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c3f5beb10e0d4906b2fa1269e9a2c8f3

SHA1
9e889472f4f1da1cb0b608e0b13a813697a2c5c3

SHA256
d3bf0de6d0a940e792a27adeb7058967e8a3f9d181de2a6e0caac9909c460e6e

SHA512
74ab7ffe5054c7fa2e4acd9533f94a61c9ddd18ddf12873ac8a421b69d61d34dd9d8537aa61d3cee4709f0c6445e9fabde5a1b2d03e900290cf35c169c38ddee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c3f5beb10e0d4906b2fa1269e9a2c8f3

SHA1
9e889472f4f1da1cb0b608e0b13a813697a2c5c3

SHA256
d3bf0de6d0a940e792a27adeb7058967e8a3f9d181de2a6e0caac9909c460e6e

SHA512
74ab7ffe5054c7fa2e4acd9533f94a61c9ddd18ddf12873ac8a421b69d61d34dd9d8537aa61d3cee4709f0c6445e9fabde5a1b2d03e900290cf35c169c38ddee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c3f5beb10e0d4906b2fa1269e9a2c8f3

SHA1
9e889472f4f1da1cb0b608e0b13a813697a2c5c3

SHA256
d3bf0de6d0a940e792a27adeb7058967e8a3f9d181de2a6e0caac9909c460e6e

SHA512
74ab7ffe5054c7fa2e4acd9533f94a61c9ddd18ddf12873ac8a421b69d61d34dd9d8537aa61d3cee4709f0c6445e9fabde5a1b2d03e900290cf35c169c38ddee

Download Submit