c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 01:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
Size

1.2MB
MD5

d745cc5c153e7c2cca9e9d20928ea439
SHA1

3c176f1720a99cd606898acbeb377fa613062e6e
SHA256

c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65
SHA512

d508f0457b6d55a16d48e8e3ce992fefb9a6513bd3acf3ca4e6f331dbdce92ea2c701e4bde11affc360322b1bf702fb53bfa58b7d1cf0154902e908a56f88d6f
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mw8:voep0hUbSklG45lvMc8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
2956	svchcst.exe
4744	svchcst.exe
4676	svchcst.exe
3212	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
2956	svchcst.exe
2956	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4676	svchcst.exe
4676	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2008	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	90
PID 3000 wrote to memory of 3736	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	89
PID 3000 wrote to memory of 2008	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	90
PID 3000 wrote to memory of 2008	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	90
PID 3000 wrote to memory of 3736	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	89
PID 3000 wrote to memory of 3736	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	89
PID 3000 wrote to memory of 5104	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	91
PID 3000 wrote to memory of 5104	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	91
PID 3000 wrote to memory of 5104	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	91
PID 3000 wrote to memory of 1324	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	92
PID 3000 wrote to memory of 1324	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	92
PID 3000 wrote to memory of 1324	3000	c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe	92
PID 2008 wrote to memory of 2956	2008	WScript.exe	97
PID 2008 wrote to memory of 2956	2008	WScript.exe	97
PID 2008 wrote to memory of 2956	2008	WScript.exe	97
PID 5104 wrote to memory of 4744	5104	WScript.exe	98
PID 5104 wrote to memory of 4744	5104	WScript.exe	98
PID 5104 wrote to memory of 4744	5104	WScript.exe	98
PID 1324 wrote to memory of 4676	1324	WScript.exe	99
PID 1324 wrote to memory of 4676	1324	WScript.exe	99
PID 1324 wrote to memory of 4676	1324	WScript.exe	99
PID 3736 wrote to memory of 3212	3736	WScript.exe	100
PID 3736 wrote to memory of 3212	3736	WScript.exe	100
PID 3736 wrote to memory of 3212	3736	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe
"C:\Users\Admin\AppData\Local\Temp\c3a9fdae5e195a445a45133ded4196915f2608eb6a1659ea6a13588ecace7a65.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
14e639f0fe690b1b2eafe19851c8f0fc

SHA1
0a048bfbfed20f7f428caee858798ef70f4b45da

SHA256
10522771a62c4bf3ca1b5006cd93121e88f245d98915e13829c7ebe068c5fee2

SHA512
72153344ef61bf16fa621cf9f6fc24ce95835c217c7768e88dc166e5857f054505c592ef636fecb188820198de541c75907262141dc18d6ed664d512aa9ed1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
14e639f0fe690b1b2eafe19851c8f0fc

SHA1
0a048bfbfed20f7f428caee858798ef70f4b45da

SHA256
10522771a62c4bf3ca1b5006cd93121e88f245d98915e13829c7ebe068c5fee2

SHA512
72153344ef61bf16fa621cf9f6fc24ce95835c217c7768e88dc166e5857f054505c592ef636fecb188820198de541c75907262141dc18d6ed664d512aa9ed1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c2efdfd4872e22cacf9908803c521a34

SHA1
d709ab477341f0526a82b402187d3ae1b56df9f0

SHA256
22e660cce1cc7aa4195243e4d66e0ad06d9f6d876d3e6f5d5f9ad74694c0a460

SHA512
e8338b3e2a7fd9a81fd757305ec0edacde939dc00ec0c56c77592610ced0c5f07e918839f69e5ff199c4d98dc91e8b9ba48319a0b5c0d928d3c0746f2295aeef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c2efdfd4872e22cacf9908803c521a34

SHA1
d709ab477341f0526a82b402187d3ae1b56df9f0

SHA256
22e660cce1cc7aa4195243e4d66e0ad06d9f6d876d3e6f5d5f9ad74694c0a460

SHA512
e8338b3e2a7fd9a81fd757305ec0edacde939dc00ec0c56c77592610ced0c5f07e918839f69e5ff199c4d98dc91e8b9ba48319a0b5c0d928d3c0746f2295aeef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c2efdfd4872e22cacf9908803c521a34

SHA1
d709ab477341f0526a82b402187d3ae1b56df9f0

SHA256
22e660cce1cc7aa4195243e4d66e0ad06d9f6d876d3e6f5d5f9ad74694c0a460

SHA512
e8338b3e2a7fd9a81fd757305ec0edacde939dc00ec0c56c77592610ced0c5f07e918839f69e5ff199c4d98dc91e8b9ba48319a0b5c0d928d3c0746f2295aeef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c2efdfd4872e22cacf9908803c521a34

SHA1
d709ab477341f0526a82b402187d3ae1b56df9f0

SHA256
22e660cce1cc7aa4195243e4d66e0ad06d9f6d876d3e6f5d5f9ad74694c0a460

SHA512
e8338b3e2a7fd9a81fd757305ec0edacde939dc00ec0c56c77592610ced0c5f07e918839f69e5ff199c4d98dc91e8b9ba48319a0b5c0d928d3c0746f2295aeef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c2efdfd4872e22cacf9908803c521a34

SHA1
d709ab477341f0526a82b402187d3ae1b56df9f0

SHA256
22e660cce1cc7aa4195243e4d66e0ad06d9f6d876d3e6f5d5f9ad74694c0a460

SHA512
e8338b3e2a7fd9a81fd757305ec0edacde939dc00ec0c56c77592610ced0c5f07e918839f69e5ff199c4d98dc91e8b9ba48319a0b5c0d928d3c0746f2295aeef

Download Submit