6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe
Size

1.1MB
MD5

e7ec9c89f8ff8e2d6d2e9e04ef90889b
SHA1

dce379b70627afcf63b7164d41f0aac45ab01ab5
SHA256

6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79
SHA512

f71397301655deb6ffa4f3d07a5a98022f2ecdb58492c1bf40dad600227e3371591dfbc0df85ce6fb651066f327ef4d65c51d94d9aeb3ea3d175cc2a4179cc02
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QJ:CcaClSFlG4ZM7QzMK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	svchcst.exe
2580	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2684	WScript.exe
2716	WScript.exe
2684	WScript.exe
2716	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe
3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe
3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe
2788	svchcst.exe
2580	svchcst.exe
2788	svchcst.exe
2580	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2684	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	28
PID 3000 wrote to memory of 2684	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	28
PID 3000 wrote to memory of 2684	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	28
PID 3000 wrote to memory of 2684	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	28
PID 3000 wrote to memory of 2716	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	29
PID 3000 wrote to memory of 2716	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	29
PID 3000 wrote to memory of 2716	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	29
PID 3000 wrote to memory of 2716	3000	6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe	29
PID 2684 wrote to memory of 2788	2684	WScript.exe	32
PID 2684 wrote to memory of 2788	2684	WScript.exe	32
PID 2684 wrote to memory of 2788	2684	WScript.exe	32
PID 2684 wrote to memory of 2788	2684	WScript.exe	32
PID 2716 wrote to memory of 2580	2716	WScript.exe	31
PID 2716 wrote to memory of 2580	2716	WScript.exe	31
PID 2716 wrote to memory of 2580	2716	WScript.exe	31
PID 2716 wrote to memory of 2580	2716	WScript.exe	31

C:\Users\Admin\AppData\Local\Temp\6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe
"C:\Users\Admin\AppData\Local\Temp\6856c506ba2832e94ab32aab3b20d2e3d70b1c12869f4b1f4c5a7736d7750e79.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0fa78bad841600865145f5fe525065aa

SHA1
9df66234ee6e2845f243e312f3e921531a27bd64

SHA256
5b1a210c3e07afc466a8b43106688d0cedbcfd8bb4b64e43c2cc8bdcb951456e

SHA512
7fb208732abedd6d24fe0b63c580140f029924db3cb30cdba771fb5115e087f9eb3c7323253da46e75243c55188b970a638eda0f70892b00e115303f70beeef9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fff5d2257b6ff84af27c9b3699419b1c

SHA1
9569a764d1ce0c5e7f8afb445679b09003a5391b

SHA256
81f69055089252694c75abead59ff5d0411370aab060fb229711d47b23e687f4

SHA512
4f3d42b279f43492b8f6b0ee792b887adaf489cbde318b1c7780e8a17a5e731b48d9fc4b7bbdb6bce9be97aa6312b77f86b9b0a126ac17cab4c8195415e3c388

Download Submit