059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26-11-2023 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
Size

1.1MB
MD5

27dc3a9bfefe292384910f68352d5794
SHA1

003be7db6687e420d45f8ef62f0598485d4fc7ce
SHA256

059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1
SHA512

3d36c94496d3815e1e68bf1add382b014b7a97097ae6ccb9fbe0d6d953aa2b56a8105a92bc7d9ca3cb6c822f869c657b3d166f55b2c1643c3a3124445b2bf604
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzM7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	svchcst.exe
2820	svchcst.exe
2852	svchcst.exe

Loads dropped DLL 6 IoCs

pid	Process
2684	WScript.exe
2684	WScript.exe
2984	WScript.exe
2984	WScript.exe
2532	WScript.exe
2532	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
2600	svchcst.exe
2600	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2684	1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	28
PID 1192 wrote to memory of 2684	1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	28
PID 1192 wrote to memory of 2684	1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	28
PID 1192 wrote to memory of 2684	1192	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	28
PID 2684 wrote to memory of 2600	2684	WScript.exe	30
PID 2684 wrote to memory of 2600	2684	WScript.exe	30
PID 2684 wrote to memory of 2600	2684	WScript.exe	30
PID 2684 wrote to memory of 2600	2684	WScript.exe	30
PID 2600 wrote to memory of 2984	2600	svchcst.exe	31
PID 2600 wrote to memory of 2984	2600	svchcst.exe	31
PID 2600 wrote to memory of 2984	2600	svchcst.exe	31
PID 2600 wrote to memory of 2984	2600	svchcst.exe	31
PID 2600 wrote to memory of 2532	2600	svchcst.exe	32
PID 2600 wrote to memory of 2532	2600	svchcst.exe	32
PID 2600 wrote to memory of 2532	2600	svchcst.exe	32
PID 2600 wrote to memory of 2532	2600	svchcst.exe	32
PID 2984 wrote to memory of 2820	2984	WScript.exe	33
PID 2984 wrote to memory of 2820	2984	WScript.exe	33
PID 2984 wrote to memory of 2820	2984	WScript.exe	33
PID 2984 wrote to memory of 2820	2984	WScript.exe	33
PID 2532 wrote to memory of 2852	2532	WScript.exe	34
PID 2532 wrote to memory of 2852	2532	WScript.exe	34
PID 2532 wrote to memory of 2852	2532	WScript.exe	34
PID 2532 wrote to memory of 2852	2532	WScript.exe	34

C:\Users\Admin\AppData\Local\Temp\059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
"C:\Users\Admin\AppData\Local\Temp\059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2820
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
96713cd3d74dbc67fb3abfb2523447ed

SHA1
4ea90b48cef132e250d93adc8d764d473f502153

SHA256
42d90827a50acca02407ce24c163cba7243a26f4be18a14dfa85184459fcec09

SHA512
9264b605c4bae5e4d1db42d1fd94c64f807f529ff3ac341943f80c0bfda94adc875266e6b95e4fadb7e50bc9e82cb317018a5dc89f152e31cd182a2fe00bb5c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f8690277e11808c7373d5fb52242a49

SHA1
100c5f88cb819bc74f66b60b228e91d8d1e625f9

SHA256
89c68c9ac590de354f25d4d954cfebeae0a55a776dcf1a1dd810437f444d5554

SHA512
486579852423cb1ce5399c558fa69ce7b3e07bf287e0a514808636d3c882b8b4b6585a73238bd08eb227da40ada262d5ce3fe9b3faded1e1b66afb25d5d1fef5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f8690277e11808c7373d5fb52242a49

SHA1
100c5f88cb819bc74f66b60b228e91d8d1e625f9

SHA256
89c68c9ac590de354f25d4d954cfebeae0a55a776dcf1a1dd810437f444d5554

SHA512
486579852423cb1ce5399c558fa69ce7b3e07bf287e0a514808636d3c882b8b4b6585a73238bd08eb227da40ada262d5ce3fe9b3faded1e1b66afb25d5d1fef5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f8690277e11808c7373d5fb52242a49

SHA1
100c5f88cb819bc74f66b60b228e91d8d1e625f9

SHA256
89c68c9ac590de354f25d4d954cfebeae0a55a776dcf1a1dd810437f444d5554

SHA512
486579852423cb1ce5399c558fa69ce7b3e07bf287e0a514808636d3c882b8b4b6585a73238bd08eb227da40ada262d5ce3fe9b3faded1e1b66afb25d5d1fef5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c929fb156b5b563bef65f0c901c2aba

SHA1
e1f8bbcb03593c7cc342af1781a2fc35405015e2

SHA256
68182eab53685923e4d2071f18c7a55a02f12428e328f736e78213049ffca948

SHA512
62a26232adb12919bf0c6e82c1092e4610fb60aa8042b7b8ac70b4baaf98eb00a4f7ccb3ff80c11aef96854166a8b61d4c93755057967761973a7b2f197c664a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c929fb156b5b563bef65f0c901c2aba

SHA1
e1f8bbcb03593c7cc342af1781a2fc35405015e2

SHA256
68182eab53685923e4d2071f18c7a55a02f12428e328f736e78213049ffca948

SHA512
62a26232adb12919bf0c6e82c1092e4610fb60aa8042b7b8ac70b4baaf98eb00a4f7ccb3ff80c11aef96854166a8b61d4c93755057967761973a7b2f197c664a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f8690277e11808c7373d5fb52242a49

SHA1
100c5f88cb819bc74f66b60b228e91d8d1e625f9

SHA256
89c68c9ac590de354f25d4d954cfebeae0a55a776dcf1a1dd810437f444d5554

SHA512
486579852423cb1ce5399c558fa69ce7b3e07bf287e0a514808636d3c882b8b4b6585a73238bd08eb227da40ada262d5ce3fe9b3faded1e1b66afb25d5d1fef5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f8690277e11808c7373d5fb52242a49

SHA1
100c5f88cb819bc74f66b60b228e91d8d1e625f9

SHA256
89c68c9ac590de354f25d4d954cfebeae0a55a776dcf1a1dd810437f444d5554

SHA512
486579852423cb1ce5399c558fa69ce7b3e07bf287e0a514808636d3c882b8b4b6585a73238bd08eb227da40ada262d5ce3fe9b3faded1e1b66afb25d5d1fef5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f8690277e11808c7373d5fb52242a49

SHA1
100c5f88cb819bc74f66b60b228e91d8d1e625f9

SHA256
89c68c9ac590de354f25d4d954cfebeae0a55a776dcf1a1dd810437f444d5554

SHA512
486579852423cb1ce5399c558fa69ce7b3e07bf287e0a514808636d3c882b8b4b6585a73238bd08eb227da40ada262d5ce3fe9b3faded1e1b66afb25d5d1fef5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f8690277e11808c7373d5fb52242a49

SHA1
100c5f88cb819bc74f66b60b228e91d8d1e625f9

SHA256
89c68c9ac590de354f25d4d954cfebeae0a55a776dcf1a1dd810437f444d5554

SHA512
486579852423cb1ce5399c558fa69ce7b3e07bf287e0a514808636d3c882b8b4b6585a73238bd08eb227da40ada262d5ce3fe9b3faded1e1b66afb25d5d1fef5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c929fb156b5b563bef65f0c901c2aba

SHA1
e1f8bbcb03593c7cc342af1781a2fc35405015e2

SHA256
68182eab53685923e4d2071f18c7a55a02f12428e328f736e78213049ffca948

SHA512
62a26232adb12919bf0c6e82c1092e4610fb60aa8042b7b8ac70b4baaf98eb00a4f7ccb3ff80c11aef96854166a8b61d4c93755057967761973a7b2f197c664a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c929fb156b5b563bef65f0c901c2aba

SHA1
e1f8bbcb03593c7cc342af1781a2fc35405015e2

SHA256
68182eab53685923e4d2071f18c7a55a02f12428e328f736e78213049ffca948

SHA512
62a26232adb12919bf0c6e82c1092e4610fb60aa8042b7b8ac70b4baaf98eb00a4f7ccb3ff80c11aef96854166a8b61d4c93755057967761973a7b2f197c664a

Download Submit