3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4

Analysis

max time kernel
179s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
Size

1.1MB
MD5

958b7c6dc567d45b089b0289409d30aa
SHA1

2fb3714098e35ba41a2bdf9a998083565900ac4a
SHA256

3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4
SHA512

d5eede63a9fb566465cc0650dd30d7a9a676ae78235f8506e72d241adb7bb7509bf04f0f83c6955ca704fd6a8567aaf76a42d7f8fcd257fd9754c521577bc532
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q7:CcaClSFlG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3648	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
788	svchcst.exe
3648	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe
3648	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
3648	svchcst.exe
3648	svchcst.exe
788	svchcst.exe
788	svchcst.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 5108	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	94
PID 2904 wrote to memory of 3748	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	92
PID 2904 wrote to memory of 5108	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	94
PID 2904 wrote to memory of 5108	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	94
PID 2904 wrote to memory of 3748	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	92
PID 2904 wrote to memory of 3748	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	92
PID 2904 wrote to memory of 996	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	93
PID 2904 wrote to memory of 996	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	93
PID 2904 wrote to memory of 996	2904	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	93
PID 996 wrote to memory of 788	996	WScript.exe	96
PID 996 wrote to memory of 788	996	WScript.exe	96
PID 996 wrote to memory of 788	996	WScript.exe	96
PID 3748 wrote to memory of 3648	3748	WScript.exe	97
PID 3748 wrote to memory of 3648	3748	WScript.exe	97
PID 3748 wrote to memory of 3648	3748	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
"C:\Users\Admin\AppData\Local\Temp\3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5cf07c05929556e7ae16dc1f971548ae

SHA1
7f97e6aea3b386047d56fb9092abd58d01941265

SHA256
12de57db44885a220f350e5b1a1804e5c32dd07b822c1677eba926f4e9954ab5

SHA512
c6ec42aea8dce0f201f553178e4294edf48c3b86f08fab7f03a88073f7947a6b7cca3c7026d968ee91d58e2b9e418c9f7dc720fd19c85c6a4a6e0c642d4075d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c6223becb494a5f0e63d11c501f778db

SHA1
fdeb3aa68a1238cbea84a1fcdc9f13efd8c46b57

SHA256
a1b8fe989a24470267b70b83b7220d11bf3a2e2c7bf9a58bb8d3c6be150e7db1

SHA512
84f4baaa34af46873a0e1e4edcdf031addd4989dbc9be9888a095e7f006d5d245b56a7c8e71718e53fa56e7b5d53faa1f19d09c39ca76f1f3d4846b77897375e

Download Submit