c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe
Size

1.1MB
MD5

8366bdd359e719935c0925b4bf5631cf
SHA1

34684eaf9c5d331ec3176cfdc6675f3d015044ba
SHA256

c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40
SHA512

97541eca8d802017bfc57ee6459a401f4468bf3253814f2d344d067788154d3185364094c2714b9c99776fdc66e770d4addb7361d691243de701208a96c81b5b
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRS:g5ApamAUAQ/lG4lBmFAvZS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
108	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
108	svchcst.exe
2884	svchcst.exe
1396	svchcst.exe
2788	svchcst.exe
588	svchcst.exe

Loads dropped DLL 6 IoCs

pid	Process
2612	WScript.exe
2612	WScript.exe
2816	WScript.exe
2160	WScript.exe
2160	WScript.exe
436	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe
2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe
2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
108	svchcst.exe
2884	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe
2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe
108	svchcst.exe
108	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
1396	svchcst.exe
1396	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
588	svchcst.exe
588	svchcst.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2640	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	28
PID 2188 wrote to memory of 2640	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	28
PID 2188 wrote to memory of 2640	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	28
PID 2188 wrote to memory of 2640	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	28
PID 2188 wrote to memory of 2612	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	29
PID 2188 wrote to memory of 2612	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	29
PID 2188 wrote to memory of 2612	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	29
PID 2188 wrote to memory of 2612	2188	c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe	29
PID 2612 wrote to memory of 108	2612	WScript.exe	31
PID 2612 wrote to memory of 108	2612	WScript.exe	31
PID 2612 wrote to memory of 108	2612	WScript.exe	31
PID 2612 wrote to memory of 108	2612	WScript.exe	31
PID 108 wrote to memory of 2816	108	svchcst.exe	32
PID 108 wrote to memory of 2816	108	svchcst.exe	32
PID 108 wrote to memory of 2816	108	svchcst.exe	32
PID 108 wrote to memory of 2816	108	svchcst.exe	32
PID 2816 wrote to memory of 2884	2816	WScript.exe	33
PID 2816 wrote to memory of 2884	2816	WScript.exe	33
PID 2816 wrote to memory of 2884	2816	WScript.exe	33
PID 2816 wrote to memory of 2884	2816	WScript.exe	33
PID 2884 wrote to memory of 2160	2884	svchcst.exe	34
PID 2884 wrote to memory of 2160	2884	svchcst.exe	34
PID 2884 wrote to memory of 2160	2884	svchcst.exe	34
PID 2884 wrote to memory of 2160	2884	svchcst.exe	34
PID 2160 wrote to memory of 1396	2160	WScript.exe	35
PID 2160 wrote to memory of 1396	2160	WScript.exe	35
PID 2160 wrote to memory of 1396	2160	WScript.exe	35
PID 2160 wrote to memory of 1396	2160	WScript.exe	35
PID 1396 wrote to memory of 436	1396	svchcst.exe	36
PID 1396 wrote to memory of 436	1396	svchcst.exe	36
PID 1396 wrote to memory of 436	1396	svchcst.exe	36
PID 1396 wrote to memory of 436	1396	svchcst.exe	36
PID 2160 wrote to memory of 2788	2160	WScript.exe	37
PID 2160 wrote to memory of 2788	2160	WScript.exe	37
PID 2160 wrote to memory of 2788	2160	WScript.exe	37
PID 2160 wrote to memory of 2788	2160	WScript.exe	37
PID 436 wrote to memory of 588	436	WScript.exe	38
PID 436 wrote to memory of 588	436	WScript.exe	38
PID 436 wrote to memory of 588	436	WScript.exe	38
PID 436 wrote to memory of 588	436	WScript.exe	38

C:\Users\Admin\AppData\Local\Temp\c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe
"C:\Users\Admin\AppData\Local\Temp\c84a4b4a093f6c8724fc665d5aeb2be5338ce2d2c5c0691b946c64f2e1c9ee40.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1115f4236021ff2595e24e5e7fe2d207

SHA1
ae3c90d6cbecda0a9ec5cb84914622213474ca12

SHA256
f3c0c15ceae71227b3155ea851478f412d605acf19d4ec01779a44b74db450db

SHA512
f87806e099857e67ba476f00f0aed397046d24558d9a18939216ee4d4cd9b706c86558ea175b182fc8936dbde34225cffb1d17ebd48915a4c5289f574508ab13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1115f4236021ff2595e24e5e7fe2d207

SHA1
ae3c90d6cbecda0a9ec5cb84914622213474ca12

SHA256
f3c0c15ceae71227b3155ea851478f412d605acf19d4ec01779a44b74db450db

SHA512
f87806e099857e67ba476f00f0aed397046d24558d9a18939216ee4d4cd9b706c86558ea175b182fc8936dbde34225cffb1d17ebd48915a4c5289f574508ab13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
467d2199fa075c7618c033257d8649b4

SHA1
210f13c9a306c380f268c67ca9bf2e938f74904e

SHA256
607ca00071bcfffc95dcb0d1fa83018cd0a7bdf29e0a3dac0c521fe63f09b385

SHA512
b6fc006c41df3280daae078405787a557948e5b0051ecf7099fd26334d54d4975576a1d93260a8e4f706bc81b3c7e8ccb52bce1f5bcc5be4b188532c8f595b2b

Download Submit