0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679

Analysis

max time kernel
152s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
Size

1.1MB
MD5

ac802e503451d703ebd09f365cf0d42f
SHA1

4e260fe8f70973690e67bc2230891409646858fc
SHA256

0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679
SHA512

162bb1849d08af16f7fbe0ff69527a7e2b928008b0d8c1e7ff0d8d70fdb36d742aa43188154dd78fcfa0bb27c3b447b11476e8f333da99645ee298f49a37d79f
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRb:g5ApamAUAQ/lG4lBmFAvZb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2132	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
5060	svchcst.exe
2968	svchcst.exe
2132	svchcst.exe
4200	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
2968	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
5060	svchcst.exe
2968	svchcst.exe
5060	svchcst.exe
4200	svchcst.exe
4200	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 1072	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	88
PID 5024 wrote to memory of 1072	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	88
PID 5024 wrote to memory of 1072	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	88
PID 5024 wrote to memory of 4904	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	90
PID 5024 wrote to memory of 4904	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	90
PID 5024 wrote to memory of 4904	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	90
PID 5024 wrote to memory of 4176	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	91
PID 5024 wrote to memory of 4176	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	91
PID 5024 wrote to memory of 4176	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	91
PID 5024 wrote to memory of 3484	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	89
PID 5024 wrote to memory of 3484	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	89
PID 5024 wrote to memory of 3484	5024	0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe	89
PID 4176 wrote to memory of 5060	4176	WScript.exe	101
PID 4176 wrote to memory of 5060	4176	WScript.exe	101
PID 4176 wrote to memory of 5060	4176	WScript.exe	101
PID 3484 wrote to memory of 2968	3484	WScript.exe	100
PID 3484 wrote to memory of 2968	3484	WScript.exe	100
PID 3484 wrote to memory of 2968	3484	WScript.exe	100
PID 1072 wrote to memory of 2132	1072	WScript.exe	102
PID 1072 wrote to memory of 2132	1072	WScript.exe	102
PID 1072 wrote to memory of 2132	1072	WScript.exe	102
PID 4904 wrote to memory of 4200	4904	WScript.exe	103
PID 4904 wrote to memory of 4200	4904	WScript.exe	103
PID 4904 wrote to memory of 4200	4904	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe
"C:\Users\Admin\AppData\Local\Temp\0561094f50ef1e77ac31a771b6ef5290f9f1187d83c30fe61709bd6664f25679.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2968
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
795d298bb9f79d78b308128898759e5f

SHA1
7ffe64f19700936aff6c9a6508934378005eabf6

SHA256
3a3db5557c8a442821f44ca6a7b847c126a51282d11bf1b92cf238e0e7857118

SHA512
22fae39908fc904b80abeb05d2c2a8d22848baa2e1febf846dcc42000bf6a1e95b45988a3e35e36d03c0287693737f2dbd2f8118ea45ed379c184aead8ae320d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
795d298bb9f79d78b308128898759e5f

SHA1
7ffe64f19700936aff6c9a6508934378005eabf6

SHA256
3a3db5557c8a442821f44ca6a7b847c126a51282d11bf1b92cf238e0e7857118

SHA512
22fae39908fc904b80abeb05d2c2a8d22848baa2e1febf846dcc42000bf6a1e95b45988a3e35e36d03c0287693737f2dbd2f8118ea45ed379c184aead8ae320d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f71c590c736998909fef62b8e886b749

SHA1
85f5ab8e0656e6d228fa16e6e5ab2b264b8cbea9

SHA256
b811436eb19223ea88642e24eae5c2c9816b5c16ee93a86535068b10945fd7b0

SHA512
fe23f71920c2da6031580b3d1e410b6cff9cdb4b1d2074855d601eb1313214e6c875df57b98f92420960e8e906fd053513b6f034d159f5d67d88cbf96a1a13c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f71c590c736998909fef62b8e886b749

SHA1
85f5ab8e0656e6d228fa16e6e5ab2b264b8cbea9

SHA256
b811436eb19223ea88642e24eae5c2c9816b5c16ee93a86535068b10945fd7b0

SHA512
fe23f71920c2da6031580b3d1e410b6cff9cdb4b1d2074855d601eb1313214e6c875df57b98f92420960e8e906fd053513b6f034d159f5d67d88cbf96a1a13c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f71c590c736998909fef62b8e886b749

SHA1
85f5ab8e0656e6d228fa16e6e5ab2b264b8cbea9

SHA256
b811436eb19223ea88642e24eae5c2c9816b5c16ee93a86535068b10945fd7b0

SHA512
fe23f71920c2da6031580b3d1e410b6cff9cdb4b1d2074855d601eb1313214e6c875df57b98f92420960e8e906fd053513b6f034d159f5d67d88cbf96a1a13c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f71c590c736998909fef62b8e886b749

SHA1
85f5ab8e0656e6d228fa16e6e5ab2b264b8cbea9

SHA256
b811436eb19223ea88642e24eae5c2c9816b5c16ee93a86535068b10945fd7b0

SHA512
fe23f71920c2da6031580b3d1e410b6cff9cdb4b1d2074855d601eb1313214e6c875df57b98f92420960e8e906fd053513b6f034d159f5d67d88cbf96a1a13c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f71c590c736998909fef62b8e886b749

SHA1
85f5ab8e0656e6d228fa16e6e5ab2b264b8cbea9

SHA256
b811436eb19223ea88642e24eae5c2c9816b5c16ee93a86535068b10945fd7b0

SHA512
fe23f71920c2da6031580b3d1e410b6cff9cdb4b1d2074855d601eb1313214e6c875df57b98f92420960e8e906fd053513b6f034d159f5d67d88cbf96a1a13c1

Download Submit