5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831

Analysis

max time kernel
99s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 06:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
Size

1.1MB
MD5

42962ddca5c65d4ab9996c733ce7944e
SHA1

7bb6e1d0eef7bae2ccded2c0381581187f9f4521
SHA256

5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831
SHA512

26442a198e3f406c8ee57314a5783965e258d01f909da478470d2def66cdad6a466fc2471e0ffd2e3c837a2dacd70e6960ea66555e5d3eb598782b2174deca2d
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QW:CcaClSFlG4ZM7QzMN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3972	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
3972	svchcst.exe
1896	svchcst.exe
4432	svchcst.exe
4028	svchcst.exe
4872	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe
3972	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
1896	svchcst.exe
3972	svchcst.exe
1896	svchcst.exe
3972	svchcst.exe
4432	svchcst.exe
4432	svchcst.exe
4028	svchcst.exe
4028	svchcst.exe
4872	svchcst.exe
4872	svchcst.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4556	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	97
PID 3352 wrote to memory of 4556	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	97
PID 3352 wrote to memory of 4556	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	97
PID 3352 wrote to memory of 4636	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	98
PID 3352 wrote to memory of 4636	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	98
PID 3352 wrote to memory of 4636	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	98
PID 3352 wrote to memory of 4684	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	95
PID 3352 wrote to memory of 4684	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	95
PID 3352 wrote to memory of 4684	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	95
PID 3352 wrote to memory of 4768	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	96
PID 3352 wrote to memory of 4768	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	96
PID 3352 wrote to memory of 4768	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	96
PID 3352 wrote to memory of 2596	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	94
PID 3352 wrote to memory of 2596	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	94
PID 3352 wrote to memory of 2596	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	94
PID 3352 wrote to memory of 3824	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	93
PID 3352 wrote to memory of 3824	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	93
PID 3352 wrote to memory of 3824	3352	5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe	93
PID 3824 wrote to memory of 3972	3824	WScript.exe	101
PID 3824 wrote to memory of 3972	3824	WScript.exe	101
PID 3824 wrote to memory of 3972	3824	WScript.exe	101
PID 2596 wrote to memory of 1896	2596	WScript.exe	100
PID 2596 wrote to memory of 1896	2596	WScript.exe	100
PID 2596 wrote to memory of 1896	2596	WScript.exe	100
PID 4684 wrote to memory of 4432	4684	WScript.exe	102
PID 4684 wrote to memory of 4432	4684	WScript.exe	102
PID 4684 wrote to memory of 4432	4684	WScript.exe	102
PID 4768 wrote to memory of 4028	4768	WScript.exe	103
PID 4768 wrote to memory of 4028	4768	WScript.exe	103
PID 4768 wrote to memory of 4028	4768	WScript.exe	103
PID 4636 wrote to memory of 4872	4636	WScript.exe	104
PID 4636 wrote to memory of 4872	4636	WScript.exe	104
PID 4636 wrote to memory of 4872	4636	WScript.exe	104

C:\Users\Admin\AppData\Local\Temp\5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe
"C:\Users\Admin\AppData\Local\Temp\5bb38808d837f44b2516d636f1f726fdf58168ea417d96c52110536b61e5d831.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
95c6e3f5bfcb444dce665f4542f32ffa

SHA1
2c7911cf4c49e3a1babf57102df68685b3acaca9

SHA256
6a8ffc1e2862916def9f31500754296b4cf4194dcec5e05763ae7c1b6f5b7de7

SHA512
b07ff2563fbc9893cb624d1c74593b0bc9fdf57e72ee13579a839368abee0a5b84933a29947b765e3f345b3fdd86482294e063e62f13580ad71853fab5d3201a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
95c6e3f5bfcb444dce665f4542f32ffa

SHA1
2c7911cf4c49e3a1babf57102df68685b3acaca9

SHA256
6a8ffc1e2862916def9f31500754296b4cf4194dcec5e05763ae7c1b6f5b7de7

SHA512
b07ff2563fbc9893cb624d1c74593b0bc9fdf57e72ee13579a839368abee0a5b84933a29947b765e3f345b3fdd86482294e063e62f13580ad71853fab5d3201a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1d7906cc7d5832869bdaa458b0bb0b46

SHA1
d7bbdb36c242b529a2d4fa5cfc1c1d899cf27a04

SHA256
4734fb1376cc3ec736400651c83a0085185f6a0f60e48fe535a29e2e85bd56b0

SHA512
a5cd25297e4a21262639d9c0c89cb27eaff248ff81c6b66b53bc5d25136dedb18d1cb43313bb37aae9266cbe0d56173027460631c83a6d11f8c372367aac5692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1d7906cc7d5832869bdaa458b0bb0b46

SHA1
d7bbdb36c242b529a2d4fa5cfc1c1d899cf27a04

SHA256
4734fb1376cc3ec736400651c83a0085185f6a0f60e48fe535a29e2e85bd56b0

SHA512
a5cd25297e4a21262639d9c0c89cb27eaff248ff81c6b66b53bc5d25136dedb18d1cb43313bb37aae9266cbe0d56173027460631c83a6d11f8c372367aac5692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1d7906cc7d5832869bdaa458b0bb0b46

SHA1
d7bbdb36c242b529a2d4fa5cfc1c1d899cf27a04

SHA256
4734fb1376cc3ec736400651c83a0085185f6a0f60e48fe535a29e2e85bd56b0

SHA512
a5cd25297e4a21262639d9c0c89cb27eaff248ff81c6b66b53bc5d25136dedb18d1cb43313bb37aae9266cbe0d56173027460631c83a6d11f8c372367aac5692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1d7906cc7d5832869bdaa458b0bb0b46

SHA1
d7bbdb36c242b529a2d4fa5cfc1c1d899cf27a04

SHA256
4734fb1376cc3ec736400651c83a0085185f6a0f60e48fe535a29e2e85bd56b0

SHA512
a5cd25297e4a21262639d9c0c89cb27eaff248ff81c6b66b53bc5d25136dedb18d1cb43313bb37aae9266cbe0d56173027460631c83a6d11f8c372367aac5692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1d7906cc7d5832869bdaa458b0bb0b46

SHA1
d7bbdb36c242b529a2d4fa5cfc1c1d899cf27a04

SHA256
4734fb1376cc3ec736400651c83a0085185f6a0f60e48fe535a29e2e85bd56b0

SHA512
a5cd25297e4a21262639d9c0c89cb27eaff248ff81c6b66b53bc5d25136dedb18d1cb43313bb37aae9266cbe0d56173027460631c83a6d11f8c372367aac5692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1d7906cc7d5832869bdaa458b0bb0b46

SHA1
d7bbdb36c242b529a2d4fa5cfc1c1d899cf27a04

SHA256
4734fb1376cc3ec736400651c83a0085185f6a0f60e48fe535a29e2e85bd56b0

SHA512
a5cd25297e4a21262639d9c0c89cb27eaff248ff81c6b66b53bc5d25136dedb18d1cb43313bb37aae9266cbe0d56173027460631c83a6d11f8c372367aac5692

Download Submit