e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe
Size

1.1MB
MD5

a58d2d8d74b0b78b0ac7fc66ad932737
SHA1

4e43a68a9e5818a9f110671c5674e5773fc6c781
SHA256

e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109
SHA512

022846bbee9a6a052273ae1a3ed057565f57cc5940de6b7980dc91d75a325caf2092960fb6e634afce786e3a75cb211a734ae416e2513cd57370e1f9b3bcbfa3
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRv:g5ApamAUAQ/lG4lBmFAvZv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2904	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	svchcst.exe
2948	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2852	WScript.exe
2852	WScript.exe
3020	WScript.exe
3020	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe
836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe
836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe
2904	svchcst.exe
2904	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 3020	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	28
PID 836 wrote to memory of 2852	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	27
PID 836 wrote to memory of 2852	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	27
PID 836 wrote to memory of 2852	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	27
PID 836 wrote to memory of 3020	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	28
PID 836 wrote to memory of 2852	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	27
PID 836 wrote to memory of 3020	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	28
PID 836 wrote to memory of 3020	836	e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe	28
PID 2852 wrote to memory of 2904	2852	WScript.exe	31
PID 2852 wrote to memory of 2904	2852	WScript.exe	31
PID 2852 wrote to memory of 2904	2852	WScript.exe	31
PID 2852 wrote to memory of 2904	2852	WScript.exe	31
PID 3020 wrote to memory of 2948	3020	WScript.exe	30
PID 3020 wrote to memory of 2948	3020	WScript.exe	30
PID 3020 wrote to memory of 2948	3020	WScript.exe	30
PID 3020 wrote to memory of 2948	3020	WScript.exe	30

C:\Users\Admin\AppData\Local\Temp\e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe
"C:\Users\Admin\AppData\Local\Temp\e574a1f28c56e4591cfd7c3dcec175187a640c62ff4772ba857611d449009109.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2cf19a3f2a3d28829c8d240ce93c4530

SHA1
8cd0500385df11e3a8504d0380a4ae4d32fec798

SHA256
12b7ea06194a029ff60acbd4367dbd21735b4e2ae9537ed0d835a31fe42b1ebe

SHA512
140075043fd38e9fe33f22c64fd9a26ce7f4fd0e764d91658e2b8256c30fa6823d70d38baeac5b738c95775524154a26796f07f19bbea8cce2e18b22427f8126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bbb21e92ec2cf98c5706ad13be85473d

SHA1
f2533659bbaa7b19157ca71f4985b9108b8d25c3

SHA256
a5af560ddb8f96fb5f1cd38e139afbd1e63a1f32c6d59e1b06907e879e138603

SHA512
101f79091a0f63832d4ab48b52b6c9f2309ff052f6173d7f86c180a691c2772d2834f2e2be8fba64d7a5878ba0a4ddf2e590a67717d44145dd4c36856a41e944

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
92KB

MD5
e40ddebbe76e26d68c7b1b6da4c4e773

SHA1
7c987b00b49a5329344edc86192b7472a360e703

SHA256
571c66d6e7748b3cab8d69ffede7f2190f831398cc7f635331ed596f8ffadece

SHA512
96d49cc0c44400d7fe4ca8975594259d85ebafe2f7b6288f8b0aedf474af411d59d5e44827692682fa269672caca83973c03ddb42e7bf4ba001c41a028092b74

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
521KB

MD5
478aba98872ae8b98f688ce17a5825b5

SHA1
dff22072bc01a695e70faa80a7b60c868a04df4e

SHA256
47bc0749fc70a0a391fa8f466981fc6862c7899d1204599da5e112da9a00d249

SHA512
cf8f8a81ef1ffce0dc2eed8119ef9886748e6a55c417c0a349952c744ac915df281a1285ec3c5fe28151549b1a84130b92c2116fdd686d6bf318fffeb5b27353

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
381KB

MD5
2aed645bc8bf386c92c4f7e9713d4aa4

SHA1
433664a4530198f602710b06d337fcceff850071

SHA256
db241d71eb4baf45db73578698686884cb9d36088ceef016cc3e9047001f6d4b

SHA512
2f7e0c3acbddd92f86803908b6bd160cd3d06002c1c4f88458d03e9ba8c16e17c1382fdafd5dba21720977255d7e1eea5f0a74e607e28e7ec2aa346dc8b005c0

Download Submit
memory/836-4-0x0000000003C80000-0x0000000003C95000-memory.dmp

Filesize
84KB

Download