fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a

Analysis

max time kernel
87s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
Size

1.1MB
MD5

00fd7746a80f1936cd8f235ae6f9558a
SHA1

19b0b59313b124dcbbd8979aa35de883da1a5314
SHA256

fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a
SHA512

a255d3eb3bc0224dcdf7f925d6a3084ed6d1050c2ed99c41a480e5deac6efc9f1003fe471c38ab5886b064063da704ffc7addcf3efde45fd30bb3e73e1b181ec
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QB:CcaClSFlG4ZM7QzMy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1900	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1900	svchcst.exe
1748	svchcst.exe
2380	svchcst.exe

Loads dropped DLL 6 IoCs

pid	Process
2492	WScript.exe
2492	WScript.exe
2556	WScript.exe
2580	WScript.exe
2556	WScript.exe
2580	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
1900	svchcst.exe
1900	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2556	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	31
PID 1376 wrote to memory of 2556	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	31
PID 1376 wrote to memory of 2556	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	31
PID 1376 wrote to memory of 2556	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	31
PID 1376 wrote to memory of 2580	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	29
PID 1376 wrote to memory of 2580	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	29
PID 1376 wrote to memory of 2580	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	29
PID 1376 wrote to memory of 2580	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	29
PID 1376 wrote to memory of 2916	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	30
PID 1376 wrote to memory of 2916	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	30
PID 1376 wrote to memory of 2916	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	30
PID 1376 wrote to memory of 2916	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	30
PID 1376 wrote to memory of 2492	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	28
PID 1376 wrote to memory of 2492	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	28
PID 1376 wrote to memory of 2492	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	28
PID 1376 wrote to memory of 2492	1376	fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe	28
PID 2492 wrote to memory of 1900	2492	WScript.exe	34
PID 2492 wrote to memory of 1900	2492	WScript.exe	34
PID 2492 wrote to memory of 1900	2492	WScript.exe	34
PID 2492 wrote to memory of 1900	2492	WScript.exe	34
PID 2556 wrote to memory of 1748	2556	WScript.exe	36
PID 2556 wrote to memory of 1748	2556	WScript.exe	36
PID 2556 wrote to memory of 1748	2556	WScript.exe	36
PID 2556 wrote to memory of 1748	2556	WScript.exe	36
PID 2580 wrote to memory of 2380	2580	WScript.exe	35
PID 2580 wrote to memory of 2380	2580	WScript.exe	35
PID 2580 wrote to memory of 2380	2580	WScript.exe	35
PID 2580 wrote to memory of 2380	2580	WScript.exe	35
PID 2380 wrote to memory of 1428	2380	svchcst.exe	37
PID 2380 wrote to memory of 1428	2380	svchcst.exe	37
PID 2380 wrote to memory of 1428	2380	svchcst.exe	37
PID 2380 wrote to memory of 1428	2380	svchcst.exe	37

C:\Users\Admin\AppData\Local\Temp\fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe
"C:\Users\Admin\AppData\Local\Temp\fcc4a189dd0998e66c23fb48c48d794dd8f2775b53d5faf494a62fcb94e1826a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c712e859aa5e596f173652b1cdd09b34

SHA1
efbeb2451371391783c04a4f38cf86a63d9361f7

SHA256
464f8bdb53be9cc441a4fe296b6462d2cc397f5a752f04bd21ae909eddb0c25a

SHA512
9aef6ebbdf8714a5b25e83ef9a5785cc6e6932b157823a3e54b5213c405fdd8f37cbddd15829a1265083a053022b822b80da468032f304dbf7c3f2c67b744f83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c712e859aa5e596f173652b1cdd09b34

SHA1
efbeb2451371391783c04a4f38cf86a63d9361f7

SHA256
464f8bdb53be9cc441a4fe296b6462d2cc397f5a752f04bd21ae909eddb0c25a

SHA512
9aef6ebbdf8714a5b25e83ef9a5785cc6e6932b157823a3e54b5213c405fdd8f37cbddd15829a1265083a053022b822b80da468032f304dbf7c3f2c67b744f83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
993916b1bb4cfc31de91311113f56eb6

SHA1
264389415104b775456141782471f325eba889aa

SHA256
b2f25935d915c776a4a41deda1cdeabac556d5bba75f056f95564d7c40123dd5

SHA512
1bb13aee2c297436a4aa874e352486a8951ebc98dd17330c2184af6881997f732085d42c6d678fe2326faaabaf70e7448c3c5f94680bc5f4799e74bf2566caff

Download Submit
memory/1376-4-0x00000000045B0000-0x00000000045D9000-memory.dmp

Filesize
164KB

Download