9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe
Size

1.1MB
MD5

c4336d5fff0b6f8b809c1f304c188e97
SHA1

2634e5d35dfd1ef83d48f9c0facf1adeca13c5b3
SHA256

9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242
SHA512

f08579709f42a9522117327b2ae7876d5b63bf9ecd712fd7488e1b1fc6be684b6a086d3dc6839745993dbd42e590107ba4da344613c76e311d12099301f4f7d1
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q1:CcaClSFlG4ZM7QzMO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
268	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1488	svchcst.exe
268	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2724	WScript.exe
2712	WScript.exe
2724	WScript.exe
2712	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe
1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe
268	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe
1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe
268	svchcst.exe
268	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2724	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	29
PID 1112 wrote to memory of 2724	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	29
PID 1112 wrote to memory of 2724	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	29
PID 1112 wrote to memory of 2724	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	29
PID 1112 wrote to memory of 2712	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	28
PID 1112 wrote to memory of 2712	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	28
PID 1112 wrote to memory of 2712	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	28
PID 1112 wrote to memory of 2712	1112	9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe	28
PID 2724 wrote to memory of 1488	2724	WScript.exe	32
PID 2724 wrote to memory of 1488	2724	WScript.exe	32
PID 2724 wrote to memory of 1488	2724	WScript.exe	32
PID 2724 wrote to memory of 1488	2724	WScript.exe	32
PID 2712 wrote to memory of 268	2712	WScript.exe	31
PID 2712 wrote to memory of 268	2712	WScript.exe	31
PID 2712 wrote to memory of 268	2712	WScript.exe	31
PID 2712 wrote to memory of 268	2712	WScript.exe	31

C:\Users\Admin\AppData\Local\Temp\9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe
"C:\Users\Admin\AppData\Local\Temp\9c81a2524bd517ba43e7d7223163bcacb420b5f6c92550d2fc079aee4dc60242.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
97a656caa43bd90c8458f8b6a38d35f8

SHA1
112f8a5a987f231d5a584faa37a34464bdc877c1

SHA256
ad10b3ba6e52035fdad2410d2d3f9b4ec28c92838bfc26755670047867537231

SHA512
bafe9bf8194bed2bf1f8136e749951d3ebe4d21bc515e3f5915fa8851417f699897f570cf5a4e72d373a28976f511dedb667376376b1c36dbfca8899e766bfa1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
896KB

MD5
f91c30ab4d31072ea24e4fb7ea3fecf6

SHA1
cb37d1d87b20b5007eedb54438ce875ab22bdfc3

SHA256
ea803ca40e6c5074166d65dd19ccfd7035fd2a711142f1a9acc562a717762148

SHA512
d3e5633ff1e91be94cbb9e1a8924c8a1e99a0741a796c4a15851b75627c1545fa83d0d90b974fcc23a40cd82daa6c0d2ac8c8f3e3a29669f990ceed9204e5b27

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e50130a896bb9a2ee4985b0a54133126

SHA1
7c8e220e3932755b2aaa8872d263152861da6cdc

SHA256
753c4cee655770d6ad7b66051686b024f63e8d793b2b553b4a608eec64fff5e6

SHA512
05e61ecbe333299c6833f018a48bba500509fe2a4e3ca13697133146e8c9a17bf12ee84ddb527f52e0add53de683f3606db9ca20d9faebc94d779b0cd1b5c74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
768KB

MD5
526e42ceb90cee3740855700e1630005

SHA1
8d324ae778a428e4e3680880819a911cfc5b3c44

SHA256
ed29170b618125a491161058fa8f0d1528ba17e2cf855449267b7f8ff1ef0fdd

SHA512
1b27bccb3be0f4aa851d1348abbffcea513f7480254c0d9bba4924589ffcc7855144eb6cbc659a5e323e933a950bcf47a0257154324b00473b4f593a2c5ac232

Download Submit