11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2023, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
Size

1.1MB
MD5

c45d4d45af155c297dc48f0c39bed81a
SHA1

39db4da384702e3597bdb0a5c887d499aac09202
SHA256

11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137
SHA512

bc4ab5871c8420d280ec5267aea3befdfcfff6f0cff204e0abf8ec02abcb4a5814b0ac1b3eadcee3df612bea943c1d72385ddbbbba85439725a5411b23454466
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QY:CcaClSFlG4ZM7QzMf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2332	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	svchcst.exe
2332	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2332	svchcst.exe
1716	svchcst.exe
2332	svchcst.exe
1716	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 8	2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	93
PID 2240 wrote to memory of 8	2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	93
PID 2240 wrote to memory of 8	2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	93
PID 2240 wrote to memory of 4768	2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	92
PID 2240 wrote to memory of 4768	2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	92
PID 2240 wrote to memory of 4768	2240	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	92
PID 8 wrote to memory of 1716	8	WScript.exe	97
PID 8 wrote to memory of 1716	8	WScript.exe	97
PID 8 wrote to memory of 1716	8	WScript.exe	97
PID 4768 wrote to memory of 2332	4768	WScript.exe	98
PID 4768 wrote to memory of 2332	4768	WScript.exe	98
PID 4768 wrote to memory of 2332	4768	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
"C:\Users\Admin\AppData\Local\Temp\11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fe431eaca21c0e55cbd0f1e2309e931e

SHA1
524d7fee47c80c36d5d723f370a3c6310b48f626

SHA256
9997ea913023a83d8304b69a682f05369ef4471d27df3317a0c3a5663ab2509d

SHA512
34a1f6fb44b87c9e24d6af0671b420ccf36ebb926786c5a1089645f18d09f3bef63050fc5dfe2aaaf70d8f1748d9a83f0b141c212244fbc3a5438a3eb68baf1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d3dbbee8803598e993acdfa9831977ed

SHA1
f9f5ef5c171eae29ba3bdcfe9fa3b525f32c2bba

SHA256
be2403229112ee53c21bb3cb903992a650e77e1f438e561ece03b37104212075

SHA512
6bcb616320ba8f7e3835aa7a9ffbca49254447901e293a43443b5b35f51030247f9688059f7d5684827db96a02b5353aba28477d20d75b648c73e2c00a270af5

Download Submit