a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727

Analysis

max time kernel
162s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
Size

1.2MB
MD5

8e044a080e8e4ce47056de43c9293408
SHA1

6a623d4f5919e357c63af91b26158f002595d5dd
SHA256

a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727
SHA512

c7f0233e27b98c0d1a04cdef4b5280455772a0c9e60723d8807727083b069ff73614f8217755777a1da550f73af7b5937361a0f16ed31297327f9a8a48661c9b
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mwm:voep0hUbSklG45lvMcm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1348	svchcst.exe
1308	svchcst.exe
4108	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
4108	svchcst.exe
4108	svchcst.exe
1348	svchcst.exe
1348	svchcst.exe
1308	svchcst.exe
1308	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4760	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	87
PID 224 wrote to memory of 4760	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	87
PID 224 wrote to memory of 4760	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	87
PID 224 wrote to memory of 5028	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	89
PID 224 wrote to memory of 5028	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	89
PID 224 wrote to memory of 5028	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	89
PID 224 wrote to memory of 5012	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	88
PID 224 wrote to memory of 5012	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	88
PID 224 wrote to memory of 5012	224	a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe	88
PID 4760 wrote to memory of 1348	4760	WScript.exe	97
PID 4760 wrote to memory of 1348	4760	WScript.exe	97
PID 4760 wrote to memory of 1348	4760	WScript.exe	97
PID 5028 wrote to memory of 1308	5028	WScript.exe	98
PID 5028 wrote to memory of 1308	5028	WScript.exe	98
PID 5028 wrote to memory of 1308	5028	WScript.exe	98
PID 5012 wrote to memory of 4108	5012	WScript.exe	99
PID 5012 wrote to memory of 4108	5012	WScript.exe	99
PID 5012 wrote to memory of 4108	5012	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe
"C:\Users\Admin\AppData\Local\Temp\a861790003703d8bd5f0492d7a5f92f1e265857dc68f7ee2dc758a2d1a35f727.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
414496b160a6b855a141958f6474706f

SHA1
9e8a218985f90a0d697c3d6acab52119c14b6541

SHA256
a7eba0aa696cd892911df8898b51d70029563f3fa5e623725f804bb8bf070bbc

SHA512
d811f17cb18e7ff36bff9852445281de970049172de892758f796fdb576eb8e2a80124a2b52859eec77f77eed532e35d303c2b7c80acab2bebfd0f979312bb2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
414496b160a6b855a141958f6474706f

SHA1
9e8a218985f90a0d697c3d6acab52119c14b6541

SHA256
a7eba0aa696cd892911df8898b51d70029563f3fa5e623725f804bb8bf070bbc

SHA512
d811f17cb18e7ff36bff9852445281de970049172de892758f796fdb576eb8e2a80124a2b52859eec77f77eed532e35d303c2b7c80acab2bebfd0f979312bb2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
980051019557d9cfbda1529a873c8556

SHA1
ea467e6cab0d5d7e34f91b9d4bdb5c6ee78460b3

SHA256
439929a37a88d657383aa68effc67b6ea929ba8bcc20ca8169e5345385840819

SHA512
403511fd634ca475d49a634bda0f728fb61a87fe32451f332008203bcc4ad3f8742eea5011a21ea2c48d277dca46937047d19e72a483673bb7a996fc13745eed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
980051019557d9cfbda1529a873c8556

SHA1
ea467e6cab0d5d7e34f91b9d4bdb5c6ee78460b3

SHA256
439929a37a88d657383aa68effc67b6ea929ba8bcc20ca8169e5345385840819

SHA512
403511fd634ca475d49a634bda0f728fb61a87fe32451f332008203bcc4ad3f8742eea5011a21ea2c48d277dca46937047d19e72a483673bb7a996fc13745eed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
980051019557d9cfbda1529a873c8556

SHA1
ea467e6cab0d5d7e34f91b9d4bdb5c6ee78460b3

SHA256
439929a37a88d657383aa68effc67b6ea929ba8bcc20ca8169e5345385840819

SHA512
403511fd634ca475d49a634bda0f728fb61a87fe32451f332008203bcc4ad3f8742eea5011a21ea2c48d277dca46937047d19e72a483673bb7a996fc13745eed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
980051019557d9cfbda1529a873c8556

SHA1
ea467e6cab0d5d7e34f91b9d4bdb5c6ee78460b3

SHA256
439929a37a88d657383aa68effc67b6ea929ba8bcc20ca8169e5345385840819

SHA512
403511fd634ca475d49a634bda0f728fb61a87fe32451f332008203bcc4ad3f8742eea5011a21ea2c48d277dca46937047d19e72a483673bb7a996fc13745eed

Download Submit