58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
Size

1.1MB
MD5

8ece52f8e3855c289a0949d3f130bafc
SHA1

6553a7025441e534ca829659896053c8cd256a9b
SHA256

58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1
SHA512

f6eb3582f6740e17bf23e39ca76f91916d999801f5e1563ebffde93f06539644664ea013fe2d2fa9b71d8ec568ab4f425956366e0aa1408e43cfd59e337ff6a2
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRv:g5ApamAUAQ/lG4lBmFAvZv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3024	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3024	svchcst.exe
4436	svchcst.exe
3752	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
3024	svchcst.exe
3024	svchcst.exe
4436	svchcst.exe
4436	svchcst.exe
3752	svchcst.exe
3752	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3060	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	99
PID 1492 wrote to memory of 3060	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	99
PID 1492 wrote to memory of 3060	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	99
PID 1492 wrote to memory of 5024	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	98
PID 1492 wrote to memory of 5024	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	98
PID 1492 wrote to memory of 5024	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	98
PID 1492 wrote to memory of 3912	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	100
PID 1492 wrote to memory of 3912	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	100
PID 1492 wrote to memory of 3912	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	100
PID 1492 wrote to memory of 4532	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	96
PID 1492 wrote to memory of 4532	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	96
PID 1492 wrote to memory of 4532	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	96
PID 1492 wrote to memory of 224	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	97
PID 1492 wrote to memory of 224	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	97
PID 1492 wrote to memory of 224	1492	58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe	97
PID 3060 wrote to memory of 3024	3060	WScript.exe	101
PID 3060 wrote to memory of 3024	3060	WScript.exe	101
PID 3060 wrote to memory of 3024	3060	WScript.exe	101
PID 3912 wrote to memory of 4436	3912	WScript.exe	102
PID 3912 wrote to memory of 4436	3912	WScript.exe	102
PID 3912 wrote to memory of 4436	3912	WScript.exe	102
PID 4532 wrote to memory of 3752	4532	WScript.exe	103
PID 4532 wrote to memory of 3752	4532	WScript.exe	103
PID 4532 wrote to memory of 3752	4532	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe
"C:\Users\Admin\AppData\Local\Temp\58d5862856c320ce3ecdda4ae77f808aad8df8dd6cb886367651361b1664f2f1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3752
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:5024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
77afb2dc105d836095bfe38f99442264

SHA1
05bd89b751f633c8f89524ebd4af3629cfe67378

SHA256
fde163ee13007df7403844153a7706ac3b9571d50c1cb35911030e0d0604d1c0

SHA512
84efe5210bb079049449efc35141651dc66832b648b67552ac84ec29099e3032aa1579432420e5bcfa1207ce7df6ec354d843482bafeaa6764df9a1ea4150600

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b8bc9a3f563fdccfee96554aab92642

SHA1
1f89ec5b044ddc7e919c031d653843f4ec399b33

SHA256
9ff4107cbc1389c8845dfd9dc864bc4b97e80f2c5d8ef70079040b8fff70e784

SHA512
a44bab204457ff6fd6ef64e2a875a87324c236a865c90eb32f9c440b012bfa8c3e4419ff575c390f38c4e57cce4cc2d6c43c3635fa2fab50e43df5589b31ceec

Download Submit