6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
Size

1.1MB
MD5

2e310cacec090e1f852bd4385c4ef372
SHA1

16aab23cfaa415db18c117bd64b564f179ccf855
SHA256

6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c
SHA512

26e75de251b7229391d890986b3a847333ea4ceeece0a1930f9e21f265d16381e3794dd508269ab029a1b8ffe0def1b1504bd1608ebe24538509b03e94ad5651
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyR2:g5ApamAUAQ/lG4lBmFAvZ2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4256	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2280	svchcst.exe
4616	svchcst.exe
4256	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe
4256	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
4256	svchcst.exe
4256	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
4616	svchcst.exe
4616	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 228	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	90
PID 940 wrote to memory of 3176	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	89
PID 940 wrote to memory of 228	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	90
PID 940 wrote to memory of 228	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	90
PID 940 wrote to memory of 3176	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	89
PID 940 wrote to memory of 3176	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	89
PID 940 wrote to memory of 4664	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	88
PID 940 wrote to memory of 4664	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	88
PID 940 wrote to memory of 4664	940	6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe	88
PID 4664 wrote to memory of 2280	4664	WScript.exe	99
PID 4664 wrote to memory of 2280	4664	WScript.exe	99
PID 4664 wrote to memory of 2280	4664	WScript.exe	99
PID 3176 wrote to memory of 4616	3176	WScript.exe	100
PID 3176 wrote to memory of 4616	3176	WScript.exe	100
PID 3176 wrote to memory of 4616	3176	WScript.exe	100
PID 228 wrote to memory of 4256	228	WScript.exe	101
PID 228 wrote to memory of 4256	228	WScript.exe	101
PID 228 wrote to memory of 4256	228	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe
"C:\Users\Admin\AppData\Local\Temp\6f1381602c372df795d8da4473816936ebde5471dea7934c1e0b6ee4f393785c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4616
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
736f059f9dfa8bd75421b6dda7610e4d

SHA1
aebf2630a9712828c4c5967bf547f9c0120ef971

SHA256
23232aa4e3c74cd57dc121e45ea0dcca2b4b2dc3b28d90a8607ebbd1433d6250

SHA512
cd757aa56096d715cbe0fc02f54e6c76ce832d47c924879211686615f9b25ca8edb52167c170b08b0476132632133ac54f064d095f19df9b5da9bdfb9b64433d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
736f059f9dfa8bd75421b6dda7610e4d

SHA1
aebf2630a9712828c4c5967bf547f9c0120ef971

SHA256
23232aa4e3c74cd57dc121e45ea0dcca2b4b2dc3b28d90a8607ebbd1433d6250

SHA512
cd757aa56096d715cbe0fc02f54e6c76ce832d47c924879211686615f9b25ca8edb52167c170b08b0476132632133ac54f064d095f19df9b5da9bdfb9b64433d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7fa721431a9e7c36c3b39e8407a4ed3c

SHA1
16879c6d1433aea133cba34a5f4ddc0ca3e0bd8d

SHA256
069be851bc6aa938f8045ea4831ffaabf5a369b282451705b30236a5a2023ed6

SHA512
54322466ac09d3d256357fd6083fa9dd741663faab2303589ae02c890ec0e4f40f41c37a82387b835bbf65fa483e9eb0649058fecbbef55654381f1b2fe225e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7fa721431a9e7c36c3b39e8407a4ed3c

SHA1
16879c6d1433aea133cba34a5f4ddc0ca3e0bd8d

SHA256
069be851bc6aa938f8045ea4831ffaabf5a369b282451705b30236a5a2023ed6

SHA512
54322466ac09d3d256357fd6083fa9dd741663faab2303589ae02c890ec0e4f40f41c37a82387b835bbf65fa483e9eb0649058fecbbef55654381f1b2fe225e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7fa721431a9e7c36c3b39e8407a4ed3c

SHA1
16879c6d1433aea133cba34a5f4ddc0ca3e0bd8d

SHA256
069be851bc6aa938f8045ea4831ffaabf5a369b282451705b30236a5a2023ed6

SHA512
54322466ac09d3d256357fd6083fa9dd741663faab2303589ae02c890ec0e4f40f41c37a82387b835bbf65fa483e9eb0649058fecbbef55654381f1b2fe225e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7fa721431a9e7c36c3b39e8407a4ed3c

SHA1
16879c6d1433aea133cba34a5f4ddc0ca3e0bd8d

SHA256
069be851bc6aa938f8045ea4831ffaabf5a369b282451705b30236a5a2023ed6

SHA512
54322466ac09d3d256357fd6083fa9dd741663faab2303589ae02c890ec0e4f40f41c37a82387b835bbf65fa483e9eb0649058fecbbef55654381f1b2fe225e7

Download Submit