9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe
Size

1.1MB
MD5

7769af10f790b2ffdb3403abb55b479e
SHA1

9be45e2e0dbf0ba4720831eee77332ed3cce86a8
SHA256

9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30
SHA512

0c7f02cb37c1b9ccc93210e23b72182e6e10395a7b6943b92afde8bd21a00738b612fd5df7a24378a36b3fc8013e037b402844eb0d4d856338337e95113fa9c8
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzM4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1960	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1960	svchcst.exe
1436	svchcst.exe
1044	svchcst.exe

Loads dropped DLL 5 IoCs

pid	Process
1912	WScript.exe
1912	WScript.exe
2688	WScript.exe
2092	WScript.exe
2688	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe
2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe
2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe
2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe
1960	svchcst.exe
1960	svchcst.exe
1044	svchcst.exe
1436	svchcst.exe
1044	svchcst.exe
1436	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1912	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	28
PID 2236 wrote to memory of 1912	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	28
PID 2236 wrote to memory of 1912	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	28
PID 2236 wrote to memory of 1912	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	28
PID 2236 wrote to memory of 2092	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	29
PID 2236 wrote to memory of 2092	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	29
PID 2236 wrote to memory of 2092	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	29
PID 2236 wrote to memory of 2092	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	29
PID 2236 wrote to memory of 2688	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	30
PID 2236 wrote to memory of 2688	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	30
PID 2236 wrote to memory of 2688	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	30
PID 2236 wrote to memory of 2688	2236	9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe	30
PID 1912 wrote to memory of 1960	1912	WScript.exe	32
PID 1912 wrote to memory of 1960	1912	WScript.exe	32
PID 1912 wrote to memory of 1960	1912	WScript.exe	32
PID 1912 wrote to memory of 1960	1912	WScript.exe	32
PID 2092 wrote to memory of 1436	2092	WScript.exe	34
PID 2092 wrote to memory of 1436	2092	WScript.exe	34
PID 2092 wrote to memory of 1436	2092	WScript.exe	34
PID 2092 wrote to memory of 1436	2092	WScript.exe	34
PID 2688 wrote to memory of 1044	2688	WScript.exe	33
PID 2688 wrote to memory of 1044	2688	WScript.exe	33
PID 2688 wrote to memory of 1044	2688	WScript.exe	33
PID 2688 wrote to memory of 1044	2688	WScript.exe	33

C:\Users\Admin\AppData\Local\Temp\9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe
"C:\Users\Admin\AppData\Local\Temp\9c4822ac8c76e5e57c932d26e171306656fb6f05e4bd045b0f1e8630f4bc9b30.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c726530c9a6cd118c74f6db5d074d68e

SHA1
a77c000429753c22e5c851c5f4090e6b2625dd6a

SHA256
09f1e8c6924cc96982284ab870d61d670eaa37525c96ca2f9563f78efe1d9721

SHA512
2c33638e66b52be52aefa32b0396fdee4b701facb7207cb1146a7759b485d39d2daaca03851912a959879474437ebc3a1afea084df344403100166e41d9eb58d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
feaed6eb073d0445fb9f1be02c447586

SHA1
504439cd6f826ac6a0dc6a52d0b528b24a9eaa6b

SHA256
c017414ff1b7ac92862e46becaee02788c2fa8b58ba8677d1620af43a28ca76f

SHA512
c0be4d19bb27b106edd2efbee281a058303d8edbdafbf6f78425033a57244082b9eb225b96faac60a668168c56e6729c5f0c4d22790bc86cc27312b17fe71914

Download Submit