df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe
Size

1.2MB
MD5

b1cc0b4fc69022452ee3029ae3ee32a4
SHA1

efa03a8a93ed4632c7e1ab7ad5e9b9bb7d27c9ec
SHA256

df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b
SHA512

10f0bca69148e291163593bc677ce72f19f85b9e13b7f1d4b5ba2a3200c3d2ab6c75513f98e09b184df18cfad9faa398cd8233f03edbb33c561fe8e35969cb0f
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mwL:voep0hUbSklG45lvMcL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2176	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	svchcst.exe
2960	svchcst.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	WScript.exe
2716	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe
2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe
2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe
2176	svchcst.exe
2176	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2716	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	29
PID 2116 wrote to memory of 2716	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	29
PID 2116 wrote to memory of 2716	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	29
PID 2116 wrote to memory of 2716	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	29
PID 2116 wrote to memory of 2720	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	28
PID 2116 wrote to memory of 2720	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	28
PID 2116 wrote to memory of 2720	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	28
PID 2116 wrote to memory of 2720	2116	df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe	28
PID 2720 wrote to memory of 2176	2720	WScript.exe	31
PID 2720 wrote to memory of 2176	2720	WScript.exe	31
PID 2720 wrote to memory of 2176	2720	WScript.exe	31
PID 2720 wrote to memory of 2176	2720	WScript.exe	31
PID 2716 wrote to memory of 2960	2716	WScript.exe	32
PID 2716 wrote to memory of 2960	2716	WScript.exe	32
PID 2716 wrote to memory of 2960	2716	WScript.exe	32
PID 2716 wrote to memory of 2960	2716	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe
"C:\Users\Admin\AppData\Local\Temp\df06f8914b7665b472008e50d9060fd5e9fb3fca7c96ad266c81b99c260f710b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
799fce6bbe9ce2831452c0614a3c0cf9

SHA1
67725dda1dc595d166d93f548baf042b5144575e

SHA256
be4518f46f3ac663720926150169ac4d3bdf2b1e4bd17676889f200974f98218

SHA512
76bac04b2951b1cd66715158a3f10f674896b4265741ffec9f6913a1a08432e495e035ce02da7190791ad487682185582f39cd17a02e860fbd1adcc4ba4d2d7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
799fce6bbe9ce2831452c0614a3c0cf9

SHA1
67725dda1dc595d166d93f548baf042b5144575e

SHA256
be4518f46f3ac663720926150169ac4d3bdf2b1e4bd17676889f200974f98218

SHA512
76bac04b2951b1cd66715158a3f10f674896b4265741ffec9f6913a1a08432e495e035ce02da7190791ad487682185582f39cd17a02e860fbd1adcc4ba4d2d7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
4c59757fcec8153fb7bb773448e346e6

SHA1
876ce5b12b35887c1bccd465b5306a473612e4bd

SHA256
cb77d0c174bcf810a300b99cc51902e579a677b8031e960e6bb52df4ad767a98

SHA512
14bc2732c203d3f6ef4c834e5822f92ad21753ce642597fd1d82ffdad42e73b4e23ba1f01b881bf12930d138164cbcade10d1a6d57e07b2ca36ffb5be32586fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
4c59757fcec8153fb7bb773448e346e6

SHA1
876ce5b12b35887c1bccd465b5306a473612e4bd

SHA256
cb77d0c174bcf810a300b99cc51902e579a677b8031e960e6bb52df4ad767a98

SHA512
14bc2732c203d3f6ef4c834e5822f92ad21753ce642597fd1d82ffdad42e73b4e23ba1f01b881bf12930d138164cbcade10d1a6d57e07b2ca36ffb5be32586fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
4c59757fcec8153fb7bb773448e346e6

SHA1
876ce5b12b35887c1bccd465b5306a473612e4bd

SHA256
cb77d0c174bcf810a300b99cc51902e579a677b8031e960e6bb52df4ad767a98

SHA512
14bc2732c203d3f6ef4c834e5822f92ad21753ce642597fd1d82ffdad42e73b4e23ba1f01b881bf12930d138164cbcade10d1a6d57e07b2ca36ffb5be32586fe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
4c59757fcec8153fb7bb773448e346e6

SHA1
876ce5b12b35887c1bccd465b5306a473612e4bd

SHA256
cb77d0c174bcf810a300b99cc51902e579a677b8031e960e6bb52df4ad767a98

SHA512
14bc2732c203d3f6ef4c834e5822f92ad21753ce642597fd1d82ffdad42e73b4e23ba1f01b881bf12930d138164cbcade10d1a6d57e07b2ca36ffb5be32586fe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
4c59757fcec8153fb7bb773448e346e6

SHA1
876ce5b12b35887c1bccd465b5306a473612e4bd

SHA256
cb77d0c174bcf810a300b99cc51902e579a677b8031e960e6bb52df4ad767a98

SHA512
14bc2732c203d3f6ef4c834e5822f92ad21753ce642597fd1d82ffdad42e73b4e23ba1f01b881bf12930d138164cbcade10d1a6d57e07b2ca36ffb5be32586fe

Download Submit