b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1

Analysis

max time kernel
157s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2023, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
Size

1.1MB
MD5

b8a5583e033a5078b919cd82115ed3bb
SHA1

7f9307aa4c0e99204ca594e5b07dc11c4446d3a5
SHA256

b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1
SHA512

fb292aaf107894815dc5d2269a30d2de97aef7fcf297aa2050b641f1126f21c7fcfe1d9db5f9c6552edc6bf8ec2ffd03e8e98238ef32e98040cdea994be90241
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2192	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
2192	svchcst.exe
4056	svchcst.exe
3700	svchcst.exe
3996	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
2192	svchcst.exe
2192	svchcst.exe
4056	svchcst.exe
4056	svchcst.exe
3700	svchcst.exe
3700	svchcst.exe
3996	svchcst.exe
3996	svchcst.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4920	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	89
PID 3340 wrote to memory of 4920	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	89
PID 3340 wrote to memory of 4920	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	89
PID 3340 wrote to memory of 4628	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	88
PID 3340 wrote to memory of 4628	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	88
PID 3340 wrote to memory of 4628	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	88
PID 3340 wrote to memory of 776	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	91
PID 3340 wrote to memory of 776	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	91
PID 3340 wrote to memory of 776	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	91
PID 3340 wrote to memory of 4420	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	90
PID 3340 wrote to memory of 4420	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	90
PID 3340 wrote to memory of 4420	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	90
PID 3340 wrote to memory of 4780	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	92
PID 3340 wrote to memory of 4780	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	92
PID 3340 wrote to memory of 4780	3340	b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe	92
PID 4780 wrote to memory of 2192	4780	WScript.exe	95
PID 4780 wrote to memory of 2192	4780	WScript.exe	95
PID 4780 wrote to memory of 2192	4780	WScript.exe	95
PID 4920 wrote to memory of 4056	4920	WScript.exe	96
PID 4920 wrote to memory of 4056	4920	WScript.exe	96
PID 4920 wrote to memory of 4056	4920	WScript.exe	96
PID 2192 wrote to memory of 1480	2192	svchcst.exe	97
PID 2192 wrote to memory of 1480	2192	svchcst.exe	97
PID 2192 wrote to memory of 1480	2192	svchcst.exe	97
PID 2192 wrote to memory of 3228	2192	svchcst.exe	98
PID 2192 wrote to memory of 3228	2192	svchcst.exe	98
PID 2192 wrote to memory of 3228	2192	svchcst.exe	98
PID 3228 wrote to memory of 3700	3228	WScript.exe	102
PID 3228 wrote to memory of 3700	3228	WScript.exe	102
PID 3228 wrote to memory of 3700	3228	WScript.exe	102
PID 1480 wrote to memory of 3996	1480	WScript.exe	103
PID 1480 wrote to memory of 3996	1480	WScript.exe	103
PID 1480 wrote to memory of 3996	1480	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
"C:\Users\Admin\AppData\Local\Temp\b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3996
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
65ca1022405b04f52eb29a6097f80006

SHA1
2dd9e32a5b3f9a015de4ce648e8f5a1407d3ee65

SHA256
f47b488e1e7cc9fe469182d10b7b617af5ce3282ac08bdff5ca782f0bb82832c

SHA512
8681519920ceb3d776456cf45dba184b8254319a48b3a9bc8bef51ca0abf18f0e8dc080ad92023ea89593017ec6fbc321372d88b53d5d0af684331cae38710b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
30161f057bb781a559d721069a54b117

SHA1
e1d75badcf388cd15b5e004f8bc460086485375a

SHA256
2bc2291f993a32616702564a8784894109e7c7a0f802981f28c7fc0892f5eaf4

SHA512
90efb901a23fd542a8125c7899038d245e0057d0acfc37d45fa77d002ae6b948778f40bc89c637c7b61bf5a6440478fb6f65e28b065a8e16bb8a715ee915322b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a6f494ee87dd725c7bfd852399117f6e

SHA1
f2977982122ed82ac4806871e1ea6fa10304642e

SHA256
c48d6d77d130aa3fe4592e3b5ddfb103f938b92aac41afe579b2e559370d699f

SHA512
3382d2bd9cb20a913b28a3ae33db10537fdd0ba65dd3abe25d8e2744d137116dc2dce8b0905c1f1a7690ce5094bb13af4132d62e3b8419e9555cd497c8d43ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
396KB

MD5
2e69e881320fa5313b677d8d5f21c5a5

SHA1
855348288c046b80aa7d3b6ddd4d5eec27c14a1d

SHA256
19845a4365af8b4d4aa1d1b314145debaaf4421c8275ceccdf1bc2346472e408

SHA512
e6a22e7e786863ebbf7e0989e171ebda0d4e1bd91efebcef22b4b8a1499b631b9b5f660573ff152f061022dae69575106351332b8a1987585bd1f567a2c10eca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
108KB

MD5
9d991cdef63f774db01955496a740165

SHA1
df076e1cf03b89b04c87bb467975bb8beef8a3e9

SHA256
fd9b9140e5e7cabd8af450e597b04946a1e965c7b756b6330c192b57da4b5815

SHA512
fc4dba0092e742c56b135875f626e3902437e4906176e7af5517a2e5919b008a974fb788857f4324f3a8c580fc13017d939eafcd5f3d10f5c52bba51a6558fd8

Download Submit