5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 17:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
Size

1.1MB
MD5

e3bf7cb227392964f1fae3a9a983e422
SHA1

3dd8a579c7983fa3e169cba8b2832cf718663aab
SHA256

5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac
SHA512

2d9ff4150c22e2af2c7bfb1787e8ce6f0ea59bdfca85004d40fbc8536afac5b521acf1dab1b8bd7f88936127abf734da96a0e03d2a77cc40103b7156a0ed7d4d
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRx:g5ApamAUAQ/lG4lBmFAvZx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3324	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3324	svchcst.exe
2136	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
3324	svchcst.exe
3324	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2036	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	87
PID 4144 wrote to memory of 2036	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	87
PID 4144 wrote to memory of 2036	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	87
PID 4144 wrote to memory of 4816	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	85
PID 4144 wrote to memory of 4816	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	85
PID 4144 wrote to memory of 4816	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	85
PID 4144 wrote to memory of 1736	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	86
PID 4144 wrote to memory of 1736	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	86
PID 4144 wrote to memory of 1736	4144	5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe	86
PID 1736 wrote to memory of 3324	1736	WScript.exe	89
PID 1736 wrote to memory of 3324	1736	WScript.exe	89
PID 1736 wrote to memory of 3324	1736	WScript.exe	89
PID 4816 wrote to memory of 2136	4816	WScript.exe	90
PID 4816 wrote to memory of 2136	4816	WScript.exe	90
PID 4816 wrote to memory of 2136	4816	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe
"C:\Users\Admin\AppData\Local\Temp\5ed7210f1e4f9023ccaf6889263bead99f35fda06dde2ac9466be124758204ac.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a3ad5214d6019ba7ddbbb3a1a1b8dc84

SHA1
e2d86713064720a4b537128fee0fe12c6adca1f9

SHA256
255cceb6e0b8257a13870f6c508b12e6d5313cf5b0496de2825ee586644505c9

SHA512
1b02960f53f3e8d496f2c95ffe00e6735bff68085b388e11623090b018b0bd8168b7fb9bb4d698c58056d39db1b124d43c813f32716caa484b6a2b3f90391162

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a3ad5214d6019ba7ddbbb3a1a1b8dc84

SHA1
e2d86713064720a4b537128fee0fe12c6adca1f9

SHA256
255cceb6e0b8257a13870f6c508b12e6d5313cf5b0496de2825ee586644505c9

SHA512
1b02960f53f3e8d496f2c95ffe00e6735bff68085b388e11623090b018b0bd8168b7fb9bb4d698c58056d39db1b124d43c813f32716caa484b6a2b3f90391162

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aed29c13bcda7401f709b58a72081010

SHA1
52487da4c9842c905dfd459d879797f64b772b79

SHA256
387c16aa40210f635da0507131ee92e2568554cce75c2969359d5e9286cc6c02

SHA512
fc175b437e400e70f03d8b1beaf49974a7438b11c16eaa2d3240a46ad0d5df65f77491fad97163fbd8ee8687349012f4480bdb03386c0e2d200bdf6d3479c241

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aed29c13bcda7401f709b58a72081010

SHA1
52487da4c9842c905dfd459d879797f64b772b79

SHA256
387c16aa40210f635da0507131ee92e2568554cce75c2969359d5e9286cc6c02

SHA512
fc175b437e400e70f03d8b1beaf49974a7438b11c16eaa2d3240a46ad0d5df65f77491fad97163fbd8ee8687349012f4480bdb03386c0e2d200bdf6d3479c241

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aed29c13bcda7401f709b58a72081010

SHA1
52487da4c9842c905dfd459d879797f64b772b79

SHA256
387c16aa40210f635da0507131ee92e2568554cce75c2969359d5e9286cc6c02

SHA512
fc175b437e400e70f03d8b1beaf49974a7438b11c16eaa2d3240a46ad0d5df65f77491fad97163fbd8ee8687349012f4480bdb03386c0e2d200bdf6d3479c241

Download Submit