0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
24/11/2023, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe
Size

1.1MB
MD5

04960dfaa7a817faf298f87356c5e557
SHA1

54a84b379596036515dd01902cb9c695ef27897f
SHA256

0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503
SHA512

80b5a9fe0aede0a820a2331a3d1c1d3b21976118e64c921e8245314b3b62a8ceb514508adc430f5bb9f9b2b598fcda5fb60fa8e5e0349991d7b749ae843cf214
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRq:g5ApamAUAQ/lG4lBmFAvZq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	svchcst.exe
2572	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2752	WScript.exe
2688	WScript.exe
2688	WScript.exe
2752	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe
1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe
1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe
2564	svchcst.exe
2564	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2752	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	28
PID 1532 wrote to memory of 2752	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	28
PID 1532 wrote to memory of 2752	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	28
PID 1532 wrote to memory of 2752	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	28
PID 1532 wrote to memory of 2688	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	29
PID 1532 wrote to memory of 2688	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	29
PID 1532 wrote to memory of 2688	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	29
PID 1532 wrote to memory of 2688	1532	0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe	29
PID 2688 wrote to memory of 2564	2688	WScript.exe	31
PID 2688 wrote to memory of 2564	2688	WScript.exe	31
PID 2688 wrote to memory of 2564	2688	WScript.exe	31
PID 2688 wrote to memory of 2564	2688	WScript.exe	31
PID 2752 wrote to memory of 2572	2752	WScript.exe	32
PID 2752 wrote to memory of 2572	2752	WScript.exe	32
PID 2752 wrote to memory of 2572	2752	WScript.exe	32
PID 2752 wrote to memory of 2572	2752	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe
"C:\Users\Admin\AppData\Local\Temp\0bf48487fbae5f233f956dc3fa4a83a4c9cee424d5313aa8f7b713be1a1e8503.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ac929365db61db3c2b37bffb1db32379

SHA1
71628c60d017be8a1d4e19ea1efdf3994a25b2e3

SHA256
cbc54a20bd14f22779b556256601a705e63f2135fb655feb818e93a045d8b9d1

SHA512
333e8da80aca6b164655c5a4d9aba40086dc6d7662dbc1ba1448b6641058cc8d98c1ef081c629af5c7e8327e121b45fdd1c5d00458d594f20506e4a60bd50677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ac929365db61db3c2b37bffb1db32379

SHA1
71628c60d017be8a1d4e19ea1efdf3994a25b2e3

SHA256
cbc54a20bd14f22779b556256601a705e63f2135fb655feb818e93a045d8b9d1

SHA512
333e8da80aca6b164655c5a4d9aba40086dc6d7662dbc1ba1448b6641058cc8d98c1ef081c629af5c7e8327e121b45fdd1c5d00458d594f20506e4a60bd50677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95bb2bd393d69033839a35e7461aff79

SHA1
12bb1d2f79f78860015990dd8f6a0887457b0b37

SHA256
2a554b335f6c1d3c43ced362b7d1ef72a9b0081db8e44741a7414bc4d2c8147f

SHA512
ed0ffcc0b7fdf7eeb3a975090cc244dfe1089b89ac82a214dbae4b477c4309859b096efd7176e5c8c9d0832fd2171984b680fff6ca3e9239154b9850e1fb2b33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95bb2bd393d69033839a35e7461aff79

SHA1
12bb1d2f79f78860015990dd8f6a0887457b0b37

SHA256
2a554b335f6c1d3c43ced362b7d1ef72a9b0081db8e44741a7414bc4d2c8147f

SHA512
ed0ffcc0b7fdf7eeb3a975090cc244dfe1089b89ac82a214dbae4b477c4309859b096efd7176e5c8c9d0832fd2171984b680fff6ca3e9239154b9850e1fb2b33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95bb2bd393d69033839a35e7461aff79

SHA1
12bb1d2f79f78860015990dd8f6a0887457b0b37

SHA256
2a554b335f6c1d3c43ced362b7d1ef72a9b0081db8e44741a7414bc4d2c8147f

SHA512
ed0ffcc0b7fdf7eeb3a975090cc244dfe1089b89ac82a214dbae4b477c4309859b096efd7176e5c8c9d0832fd2171984b680fff6ca3e9239154b9850e1fb2b33

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95bb2bd393d69033839a35e7461aff79

SHA1
12bb1d2f79f78860015990dd8f6a0887457b0b37

SHA256
2a554b335f6c1d3c43ced362b7d1ef72a9b0081db8e44741a7414bc4d2c8147f

SHA512
ed0ffcc0b7fdf7eeb3a975090cc244dfe1089b89ac82a214dbae4b477c4309859b096efd7176e5c8c9d0832fd2171984b680fff6ca3e9239154b9850e1fb2b33

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95bb2bd393d69033839a35e7461aff79

SHA1
12bb1d2f79f78860015990dd8f6a0887457b0b37

SHA256
2a554b335f6c1d3c43ced362b7d1ef72a9b0081db8e44741a7414bc4d2c8147f

SHA512
ed0ffcc0b7fdf7eeb3a975090cc244dfe1089b89ac82a214dbae4b477c4309859b096efd7176e5c8c9d0832fd2171984b680fff6ca3e9239154b9850e1fb2b33

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95bb2bd393d69033839a35e7461aff79

SHA1
12bb1d2f79f78860015990dd8f6a0887457b0b37

SHA256
2a554b335f6c1d3c43ced362b7d1ef72a9b0081db8e44741a7414bc4d2c8147f

SHA512
ed0ffcc0b7fdf7eeb3a975090cc244dfe1089b89ac82a214dbae4b477c4309859b096efd7176e5c8c9d0832fd2171984b680fff6ca3e9239154b9850e1fb2b33

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95bb2bd393d69033839a35e7461aff79

SHA1
12bb1d2f79f78860015990dd8f6a0887457b0b37

SHA256
2a554b335f6c1d3c43ced362b7d1ef72a9b0081db8e44741a7414bc4d2c8147f

SHA512
ed0ffcc0b7fdf7eeb3a975090cc244dfe1089b89ac82a214dbae4b477c4309859b096efd7176e5c8c9d0832fd2171984b680fff6ca3e9239154b9850e1fb2b33

Download Submit