780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
Size

1.1MB
MD5

b6ca5dafc531328acba9fa07f78c64ce
SHA1

5e814e6e933a8364887961a568140380f841d3f0
SHA256

780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf
SHA512

ca6a8d7cb67bf507b3f1c3ef2e2d6a0f88d4b25ae30642974f91697863d14a47d28cb5d3b58df33bf9c76445e61b9a032435362df9da1c5d90c33c724a26d0ce
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyR4:g5ApamAUAQ/lG4lBmFAvZ4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4884	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4884	svchcst.exe
4932	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
4884	svchcst.exe
4884	svchcst.exe
4932	svchcst.exe
4932	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 924	4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe	88
PID 4976 wrote to memory of 924	4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe	88
PID 4976 wrote to memory of 924	4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe	88
PID 4976 wrote to memory of 2024	4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe	89
PID 4976 wrote to memory of 2024	4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe	89
PID 4976 wrote to memory of 2024	4976	780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe	89
PID 2024 wrote to memory of 4884	2024	WScript.exe	98
PID 2024 wrote to memory of 4884	2024	WScript.exe	98
PID 2024 wrote to memory of 4884	2024	WScript.exe	98
PID 924 wrote to memory of 4932	924	WScript.exe	99
PID 924 wrote to memory of 4932	924	WScript.exe	99
PID 924 wrote to memory of 4932	924	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe
"C:\Users\Admin\AppData\Local\Temp\780a9047a9cbcae7894d50a18b223af1a152984c62ee9b156d3cbff1d0481ccf.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
21a8e568be8af4d4e1ccbbf79b22b106

SHA1
40f46233fb06296b7312cb9b1dfb720b5bfd29bb

SHA256
b208d2eb6533ef37e60f35c2f9ff83d811fef2d56cb6971196a7fc1c2ce1ac3d

SHA512
48ad3a1dc13c9da23e96b8f8b7fc84b037673f54ea6d43607dd5f5b59d0e6fe67118afa56934c22a88a3bf10037a5e7ae9ed77f2048505af66bfcd9bee06aa02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
21a8e568be8af4d4e1ccbbf79b22b106

SHA1
40f46233fb06296b7312cb9b1dfb720b5bfd29bb

SHA256
b208d2eb6533ef37e60f35c2f9ff83d811fef2d56cb6971196a7fc1c2ce1ac3d

SHA512
48ad3a1dc13c9da23e96b8f8b7fc84b037673f54ea6d43607dd5f5b59d0e6fe67118afa56934c22a88a3bf10037a5e7ae9ed77f2048505af66bfcd9bee06aa02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
66f78fe01a5ad58a999d95a7fd402916

SHA1
3b4598a5b6903ac7e638905ad9db2adc5523b1da

SHA256
84b77364aaf370ff455839013ace511dc461b72af1709d355c12d5d5d6ff22f8

SHA512
57269fabef3282267ca0095a7bd5bd590c1f8b2da1acefacac1153c7b1c5e72e5ab4314eb5e8b72b8281f662f35d80cdb086cc62273e7baed382250cb3405f91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
66f78fe01a5ad58a999d95a7fd402916

SHA1
3b4598a5b6903ac7e638905ad9db2adc5523b1da

SHA256
84b77364aaf370ff455839013ace511dc461b72af1709d355c12d5d5d6ff22f8

SHA512
57269fabef3282267ca0095a7bd5bd590c1f8b2da1acefacac1153c7b1c5e72e5ab4314eb5e8b72b8281f662f35d80cdb086cc62273e7baed382250cb3405f91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
66f78fe01a5ad58a999d95a7fd402916

SHA1
3b4598a5b6903ac7e638905ad9db2adc5523b1da

SHA256
84b77364aaf370ff455839013ace511dc461b72af1709d355c12d5d5d6ff22f8

SHA512
57269fabef3282267ca0095a7bd5bd590c1f8b2da1acefacac1153c7b1c5e72e5ab4314eb5e8b72b8281f662f35d80cdb086cc62273e7baed382250cb3405f91

Download Submit