7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40

Analysis

max time kernel
31s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe
Size

1.1MB
MD5

cb25fe91eb74ccafaafe0f78ccb7333a
SHA1

7a5cb10bd068811941c881a031fd1e53610a46ba
SHA256

7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40
SHA512

75d138a2760be0ea521965a7bac1c79358e64c968f79086b6c2960a29412fabdc2846d0f1b612230c99eaa5e403a06292f92e23340bf510bbff5ac978db15dbd
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRI:g5ApamAUAQ/lG4lBmFAvZI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	svchcst.exe

Executes dropped EXE 7 IoCs

pid	Process
2816	svchcst.exe
2560	svchcst.exe
1456	WScript.exe
2020	svchcst.exe
2164	svchcst.exe
748	svchcst.exe
764	svchcst.exe

Loads dropped DLL 8 IoCs

pid	Process
1340	WScript.exe
1340	WScript.exe
2692	WScript.exe
2936	WScript.exe
2936	WScript.exe
2936	WScript.exe
2936	WScript.exe
2936	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe
2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe
2816	svchcst.exe
2816	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
1456	WScript.exe
1456	WScript.exe
2020	svchcst.exe
2020	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
748	svchcst.exe
748	svchcst.exe
764	svchcst.exe
764	svchcst.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1340	2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe	28
PID 2212 wrote to memory of 1340	2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe	28
PID 2212 wrote to memory of 1340	2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe	28
PID 2212 wrote to memory of 1340	2212	7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe	28
PID 1340 wrote to memory of 2816	1340	WScript.exe	30
PID 1340 wrote to memory of 2816	1340	WScript.exe	30
PID 1340 wrote to memory of 2816	1340	WScript.exe	30
PID 1340 wrote to memory of 2816	1340	WScript.exe	30
PID 2816 wrote to memory of 2692	2816	svchcst.exe	31
PID 2816 wrote to memory of 2692	2816	svchcst.exe	31
PID 2816 wrote to memory of 2692	2816	svchcst.exe	31
PID 2816 wrote to memory of 2692	2816	svchcst.exe	31
PID 2692 wrote to memory of 2560	2692	WScript.exe	33
PID 2692 wrote to memory of 2560	2692	WScript.exe	33
PID 2692 wrote to memory of 2560	2692	WScript.exe	33
PID 2692 wrote to memory of 2560	2692	WScript.exe	33
PID 2560 wrote to memory of 2936	2560	svchcst.exe	32
PID 2560 wrote to memory of 2936	2560	svchcst.exe	32
PID 2560 wrote to memory of 2936	2560	svchcst.exe	32
PID 2560 wrote to memory of 2936	2560	svchcst.exe	32
PID 2936 wrote to memory of 1456	2936	WScript.exe	71
PID 2936 wrote to memory of 1456	2936	WScript.exe	71
PID 2936 wrote to memory of 1456	2936	WScript.exe	71
PID 2936 wrote to memory of 1456	2936	WScript.exe	71
PID 2936 wrote to memory of 2020	2936	WScript.exe	35
PID 2936 wrote to memory of 2020	2936	WScript.exe	35
PID 2936 wrote to memory of 2020	2936	WScript.exe	35
PID 2936 wrote to memory of 2020	2936	WScript.exe	35
PID 2936 wrote to memory of 2164	2936	WScript.exe	36
PID 2936 wrote to memory of 2164	2936	WScript.exe	36
PID 2936 wrote to memory of 2164	2936	WScript.exe	36
PID 2936 wrote to memory of 2164	2936	WScript.exe	36
PID 2936 wrote to memory of 748	2936	WScript.exe	37
PID 2936 wrote to memory of 748	2936	WScript.exe	37
PID 2936 wrote to memory of 748	2936	WScript.exe	37
PID 2936 wrote to memory of 748	2936	WScript.exe	37
PID 2936 wrote to memory of 764	2936	WScript.exe	38
PID 2936 wrote to memory of 764	2936	WScript.exe	38
PID 2936 wrote to memory of 764	2936	WScript.exe	38
PID 2936 wrote to memory of 764	2936	WScript.exe	38

C:\Users\Admin\AppData\Local\Temp\7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe
"C:\Users\Admin\AppData\Local\Temp\7eccd6ceaafd1116f22a016865986a865b7b8bddf73dcebb78a5afb2955f7d40.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2164
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:748
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:764
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    PID:1620
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      PID:1932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
PID:2252
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1844
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1308
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1612
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:832
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:604
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:2448
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1368
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:864
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:2528
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1036
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:484
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:2084
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    PID:2700
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      PID:2552
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        5⤵
        
        PID:2292
      - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        6⤵
        
        PID:320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        8⤵
        
        PID:588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        9⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        10⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        11⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        12⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        13⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        14⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        15⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        16⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        17⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        18⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        19⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        20⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        21⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        22⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        21⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        22⤵
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
92KB

MD5
e40ddebbe76e26d68c7b1b6da4c4e773

SHA1
7c987b00b49a5329344edc86192b7472a360e703

SHA256
571c66d6e7748b3cab8d69ffede7f2190f831398cc7f635331ed596f8ffadece

SHA512
96d49cc0c44400d7fe4ca8975594259d85ebafe2f7b6288f8b0aedf474af411d59d5e44827692682fa269672caca83973c03ddb42e7bf4ba001c41a028092b74

Download Submit