14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
Size

1.2MB
MD5

3453819d9b03b13fed24045f830483b4
SHA1

273b82e9bb6d03f10432bdab9133b5b23b3b0369
SHA256

14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d
SHA512

b6c8abe28f9c3ff90122ab5c275dd388dc08402b860b4cbd3073fe2cb39da87a8e0494cb5488fbb896e7457aeb4c1588cf60c6276099f1ed57fbb6ee985ff87d
SSDEEP

24576:vlAzF5dI2vYKWb6Dsq3P3K4XY0esxUAUbwvaoslG45wyvCj8z7mwx:voep0hUbSklG45lvMcx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4120	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4120	svchcst.exe
2604	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
4120	svchcst.exe
4120	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 1276	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	89
PID 5080 wrote to memory of 1276	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	89
PID 5080 wrote to memory of 1276	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	89
PID 5080 wrote to memory of 1228	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	90
PID 5080 wrote to memory of 1228	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	90
PID 5080 wrote to memory of 1228	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	90
PID 5080 wrote to memory of 3648	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	91
PID 5080 wrote to memory of 3648	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	91
PID 5080 wrote to memory of 3648	5080	14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe	91
PID 1228 wrote to memory of 4120	1228	WScript.exe	100
PID 1228 wrote to memory of 4120	1228	WScript.exe	100
PID 1228 wrote to memory of 4120	1228	WScript.exe	100
PID 3648 wrote to memory of 2604	3648	WScript.exe	99
PID 3648 wrote to memory of 2604	3648	WScript.exe	99
PID 3648 wrote to memory of 2604	3648	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe
"C:\Users\Admin\AppData\Local\Temp\14421f63fb79f876f33303c8654b31e6701923341155aa07b7230d5547f7b81d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1276
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8b44e008ec0133e3815627829823ad3d

SHA1
06ddeca103c09087b784a5f1d30ba1e2977b8718

SHA256
41d5dd6b75dead8c451569bfcbc3bfac9b42adc811502e1e5a867e5d417902ce

SHA512
9572dfa8893f98b94cbe6772d8d6289679c7652652814ae5aab05e448636a3ccbb060298f686dfe687a3fef0f8faea0bd50dfa54664277fcd9607b61b1e9c428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8b44e008ec0133e3815627829823ad3d

SHA1
06ddeca103c09087b784a5f1d30ba1e2977b8718

SHA256
41d5dd6b75dead8c451569bfcbc3bfac9b42adc811502e1e5a867e5d417902ce

SHA512
9572dfa8893f98b94cbe6772d8d6289679c7652652814ae5aab05e448636a3ccbb060298f686dfe687a3fef0f8faea0bd50dfa54664277fcd9607b61b1e9c428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
a9a5a80bd7343ed8033b481f08b4e741

SHA1
650c3ad42f6ba5492bececd9299b138da443bf22

SHA256
2383fef00ffe066a7a0928a025df291b912f18ed7aea91f64dd831a9e11a31e2

SHA512
f16388e323ee034c4d8b78f7bcb0ce40e8b4b7e3dfec42ccb4fa21dbddc0aa153fdcc30305e617001de01bd65b7a43e66fe350e5403fb796256f6cf0688e9c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
a9a5a80bd7343ed8033b481f08b4e741

SHA1
650c3ad42f6ba5492bececd9299b138da443bf22

SHA256
2383fef00ffe066a7a0928a025df291b912f18ed7aea91f64dd831a9e11a31e2

SHA512
f16388e323ee034c4d8b78f7bcb0ce40e8b4b7e3dfec42ccb4fa21dbddc0aa153fdcc30305e617001de01bd65b7a43e66fe350e5403fb796256f6cf0688e9c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
a9a5a80bd7343ed8033b481f08b4e741

SHA1
650c3ad42f6ba5492bececd9299b138da443bf22

SHA256
2383fef00ffe066a7a0928a025df291b912f18ed7aea91f64dd831a9e11a31e2

SHA512
f16388e323ee034c4d8b78f7bcb0ce40e8b4b7e3dfec42ccb4fa21dbddc0aa153fdcc30305e617001de01bd65b7a43e66fe350e5403fb796256f6cf0688e9c87

Download Submit