29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2023, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
Size

1.1MB
MD5

641be73b9dbe2367c986068410f9c6ed
SHA1

5f6c75a91471eae5427955192e849c76515c1598
SHA256

29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7
SHA512

4227d85e53d08b6395e27242cb48c106eaffb3481e398efb8ec32ca7ada9deb8277181b24d9e7c568a01f180916dff209bc43fc490edeb6256a54788e96ce219
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRM:g5ApamAUAQ/lG4lBmFAvZM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2240	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2044	svchcst.exe
2240	svchcst.exe
1960	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
2240	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
2240	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2916	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	84
PID 3852 wrote to memory of 2916	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	84
PID 3852 wrote to memory of 2916	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	84
PID 3852 wrote to memory of 3212	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	83
PID 3852 wrote to memory of 3212	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	83
PID 3852 wrote to memory of 3212	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	83
PID 3852 wrote to memory of 1640	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	85
PID 3852 wrote to memory of 1640	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	85
PID 3852 wrote to memory of 1640	3852	29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe	85
PID 3212 wrote to memory of 2044	3212	WScript.exe	93
PID 2916 wrote to memory of 2240	2916	WScript.exe	94
PID 3212 wrote to memory of 2044	3212	WScript.exe	93
PID 3212 wrote to memory of 2044	3212	WScript.exe	93
PID 2916 wrote to memory of 2240	2916	WScript.exe	94
PID 2916 wrote to memory of 2240	2916	WScript.exe	94
PID 1640 wrote to memory of 1960	1640	WScript.exe	95
PID 1640 wrote to memory of 1960	1640	WScript.exe	95
PID 1640 wrote to memory of 1960	1640	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe
"C:\Users\Admin\AppData\Local\Temp\29ebdb9401581febfc42093998c74c9bd5d1491017277e1b03511712b48b0fa7.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bc9ec3f519ab175deabef53f22838596

SHA1
4489026417ab91bb56a89cc7a04a86eb660aacdf

SHA256
9b1ce2570c2b7afb5795a70b54fa72cfdf0b0ad059fecb66ab13a46c9e4e2129

SHA512
25907b0d7059d9191829867c2b57ea35e4a49162ab1a5c219b60d42f067b61c72e5f75501134c90138ac92fdd5d4d5b8bebb95439017131876a72a83b48dd52f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bc9ec3f519ab175deabef53f22838596

SHA1
4489026417ab91bb56a89cc7a04a86eb660aacdf

SHA256
9b1ce2570c2b7afb5795a70b54fa72cfdf0b0ad059fecb66ab13a46c9e4e2129

SHA512
25907b0d7059d9191829867c2b57ea35e4a49162ab1a5c219b60d42f067b61c72e5f75501134c90138ac92fdd5d4d5b8bebb95439017131876a72a83b48dd52f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
620da0487004b2e3c41e0cdbe299b9e2

SHA1
18fcb76ad9dae6f105887928eacf93d7a38de4da

SHA256
9796a6ae294e154616b36867aa6286e5b12bd102af06f41a294a20d792fcc827

SHA512
210e8151c926ceb21112a704660f5298017844eff4400afa03b902c4c086ebec395cd0746fa62e36eec749c01eda810e225af6523591105c3771edf38d85d4f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
620da0487004b2e3c41e0cdbe299b9e2

SHA1
18fcb76ad9dae6f105887928eacf93d7a38de4da

SHA256
9796a6ae294e154616b36867aa6286e5b12bd102af06f41a294a20d792fcc827

SHA512
210e8151c926ceb21112a704660f5298017844eff4400afa03b902c4c086ebec395cd0746fa62e36eec749c01eda810e225af6523591105c3771edf38d85d4f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
620da0487004b2e3c41e0cdbe299b9e2

SHA1
18fcb76ad9dae6f105887928eacf93d7a38de4da

SHA256
9796a6ae294e154616b36867aa6286e5b12bd102af06f41a294a20d792fcc827

SHA512
210e8151c926ceb21112a704660f5298017844eff4400afa03b902c4c086ebec395cd0746fa62e36eec749c01eda810e225af6523591105c3771edf38d85d4f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
620da0487004b2e3c41e0cdbe299b9e2

SHA1
18fcb76ad9dae6f105887928eacf93d7a38de4da

SHA256
9796a6ae294e154616b36867aa6286e5b12bd102af06f41a294a20d792fcc827

SHA512
210e8151c926ceb21112a704660f5298017844eff4400afa03b902c4c086ebec395cd0746fa62e36eec749c01eda810e225af6523591105c3771edf38d85d4f0

Download Submit