41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
Size

1.1MB
MD5

a0d34e617de5afb53d6a5b775429b092
SHA1

dd827ab91002a17f56d6e49cdefb4486e0c969b8
SHA256

41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1
SHA512

e1eb482bdb1de461115f11b5fa49280b2ad242d7ecb5560b14bf4ad8f9a14f0290ea42006922b41eab03718b643976db52435f8b1b4c19d67de331b43d58c46d
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRy:g5ApamAUAQ/lG4lBmFAvZy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3332	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3004	svchcst.exe
3332	svchcst.exe
2008	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
3004	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
3004	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 4724	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	91
PID 3264 wrote to memory of 3160	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	93
PID 3264 wrote to memory of 3160	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	93
PID 3264 wrote to memory of 3160	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	93
PID 3264 wrote to memory of 4724	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	91
PID 3264 wrote to memory of 4724	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	91
PID 3264 wrote to memory of 4924	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	92
PID 3264 wrote to memory of 4924	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	92
PID 3264 wrote to memory of 4924	3264	41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe	92
PID 4724 wrote to memory of 3332	4724	WScript.exe	97
PID 4724 wrote to memory of 3332	4724	WScript.exe	97
PID 4724 wrote to memory of 3332	4724	WScript.exe	97
PID 3160 wrote to memory of 3004	3160	WScript.exe	96
PID 3160 wrote to memory of 3004	3160	WScript.exe	96
PID 3160 wrote to memory of 3004	3160	WScript.exe	96
PID 4924 wrote to memory of 2008	4924	WScript.exe	98
PID 4924 wrote to memory of 2008	4924	WScript.exe	98
PID 4924 wrote to memory of 2008	4924	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe
"C:\Users\Admin\AppData\Local\Temp\41653ccb4f0e165c0ed87d4abb52fc242c6839e15d9f9505a309ed410799d1b1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2c92c2a5683feec00711c129d6af00d3

SHA1
55fd352e3d7723894a8427ede284f0c60b4b8eba

SHA256
c7693306a6eeb34af3bcbb2f246ba6c101051623776b4201ee6a352710f496be

SHA512
087afffe60e96f51b9e5b592e5f7b1aac979041607b4bbc0ce226f7c42fcea72c5dfa9a3b560556a32ba99585824de022e16041f640d47cc906ff537d59aa195

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
17d9ab817ec59626cc0512e0c29b7918

SHA1
625e1023b50130a7e631b7d5e7d1b1357e09d025

SHA256
f149152786fcc23556fce68c73c7df84e950f452f8958ef39ccc14cb17f5d3ae

SHA512
4dda44705f9717faadfdb577b2c76aebb7f5e0957a4f8a3935cc3159b28e680a6beed423c36661ddb382a32d7dc722633c59b2564d70f3a6a493f8dee71b6212

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.0MB

MD5
4bf05a05b83ec7ebc3bf17fa58b06608

SHA1
7849d5a1bb80867d97c8216387278516f2252b81

SHA256
cf51f7448eb432cd4269012925fa736c16bb459caaa179218eceee23c381d359

SHA512
a16be6878e03de16025b4caa21deb21b8f4629bf6c22c8a2138af122c09b521199343ad6e1d44febf82c5b837d79136e0f1e2890ed3c336d8e5676c8754f1513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
256KB

MD5
308058293ff195f214c3a77b8c8fe744

SHA1
caa3ec66bd728aedc526774332a80f87650a3e26

SHA256
6691a080ac623da2041b293a763e287e5ac2d9d558d1c7b8542dffcc0f3e11fc

SHA512
5645a7081c30d1adfe16bba9e3e8a13879baab7855f0d4a93b9cd111fa25e3414a0bc4978925047ddde63fc69c21ef11e7a02f029f2bc566350f23c43af7590a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1024KB

MD5
857233de70f02f88ee8608899219ab66

SHA1
2cc71518234c0009e340b29f31d9f33a2bc5386b

SHA256
4512ab87e976daef2331184255631eb755ef4fb4d89be9c710306e5ab4f16b9f

SHA512
e1a5ba96e6f52bc10accaded7a0306c62e5117eb5cd6c482112e92c4b941c4558b92211cbe4fcf830156c6ba20647511684b821bb1613b9ee6fe0211e46248a6

Download Submit