059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2023 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
Size

1.1MB
MD5

27dc3a9bfefe292384910f68352d5794
SHA1

003be7db6687e420d45f8ef62f0598485d4fc7ce
SHA256

059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1
SHA512

3d36c94496d3815e1e68bf1add382b014b7a97097ae6ccb9fbe0d6d953aa2b56a8105a92bc7d9ca3cb6c822f869c657b3d166f55b2c1643c3a3124445b2bf604
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzM7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4868	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
512	svchcst.exe
4868	svchcst.exe
2192	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
512	svchcst.exe
512	svchcst.exe
2192	svchcst.exe
4868	svchcst.exe
4868	svchcst.exe
2192	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3360	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	86
PID 228 wrote to memory of 3360	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	86
PID 228 wrote to memory of 3360	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	86
PID 228 wrote to memory of 4660	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	87
PID 228 wrote to memory of 4660	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	87
PID 228 wrote to memory of 4660	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	87
PID 228 wrote to memory of 4624	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	88
PID 228 wrote to memory of 4624	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	88
PID 228 wrote to memory of 4624	228	059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe	88
PID 3360 wrote to memory of 512	3360	WScript.exe	94
PID 3360 wrote to memory of 512	3360	WScript.exe	94
PID 3360 wrote to memory of 512	3360	WScript.exe	94
PID 4624 wrote to memory of 4868	4624	WScript.exe	95
PID 4624 wrote to memory of 4868	4624	WScript.exe	95
PID 4624 wrote to memory of 4868	4624	WScript.exe	95
PID 4660 wrote to memory of 2192	4660	WScript.exe	96
PID 4660 wrote to memory of 2192	4660	WScript.exe	96
PID 4660 wrote to memory of 2192	4660	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe
"C:\Users\Admin\AppData\Local\Temp\059e0381e4044848ce3d21e7671c74b993c64260480f11197b95cf26a4fcecc1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2cade5f03b496b12178b9ea5a235b2c3

SHA1
7b7446ba3ff746d5abeadb5864830946939bdd50

SHA256
501da67969e3a1ffcc51853e926b2ae9cddb44cf2ed07e1edad5883eac4a36b4

SHA512
56887aded1b9b2e56d2c0bd62e3c5fd09737a7ea6ebe31dc13c7c8f32bba73326d69646198fd018de80fcbbe499c2e1addb50ce4c4bde6352dadba168d300dea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2cade5f03b496b12178b9ea5a235b2c3

SHA1
7b7446ba3ff746d5abeadb5864830946939bdd50

SHA256
501da67969e3a1ffcc51853e926b2ae9cddb44cf2ed07e1edad5883eac4a36b4

SHA512
56887aded1b9b2e56d2c0bd62e3c5fd09737a7ea6ebe31dc13c7c8f32bba73326d69646198fd018de80fcbbe499c2e1addb50ce4c4bde6352dadba168d300dea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59b56e353ed53705116b153da5590796

SHA1
ab45760e4ede4524a1fabb44da47683bfaee75a9

SHA256
f51fc0195cf3022352418d627e4c3cd6ac419063e99c8a8087692f4c2562cbfd

SHA512
fff4256734467474af9bf3e1df7ed67a6fe35e7aff0cd1e455939ae91b2c848e50e2851ae559327cc7ae31521c792b80452ee9687e56ee146c0670ead5b33320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59b56e353ed53705116b153da5590796

SHA1
ab45760e4ede4524a1fabb44da47683bfaee75a9

SHA256
f51fc0195cf3022352418d627e4c3cd6ac419063e99c8a8087692f4c2562cbfd

SHA512
fff4256734467474af9bf3e1df7ed67a6fe35e7aff0cd1e455939ae91b2c848e50e2851ae559327cc7ae31521c792b80452ee9687e56ee146c0670ead5b33320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59b56e353ed53705116b153da5590796

SHA1
ab45760e4ede4524a1fabb44da47683bfaee75a9

SHA256
f51fc0195cf3022352418d627e4c3cd6ac419063e99c8a8087692f4c2562cbfd

SHA512
fff4256734467474af9bf3e1df7ed67a6fe35e7aff0cd1e455939ae91b2c848e50e2851ae559327cc7ae31521c792b80452ee9687e56ee146c0670ead5b33320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59b56e353ed53705116b153da5590796

SHA1
ab45760e4ede4524a1fabb44da47683bfaee75a9

SHA256
f51fc0195cf3022352418d627e4c3cd6ac419063e99c8a8087692f4c2562cbfd

SHA512
fff4256734467474af9bf3e1df7ed67a6fe35e7aff0cd1e455939ae91b2c848e50e2851ae559327cc7ae31521c792b80452ee9687e56ee146c0670ead5b33320

Download Submit