2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756

Analysis

max time kernel
113s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
Size

1.1MB
MD5

285ea1f931c1bcc1709898548406f998
SHA1

45d19fa0c2895856060d5c27a5deea6c4f723361
SHA256

2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756
SHA512

10d06a004dddfc351fe15ac8e7e2b4e094e69c66a9cb41676d6338d56c88660ff5655b0fe106d355807c82476288b8ee4546c4cb4ba912a9a90cedc77f6d5f99
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzM1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4536	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
4536	svchcst.exe
1684	svchcst.exe
2580	svchcst.exe
2016	svchcst.exe
4272	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
4536	svchcst.exe
4536	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
4272	svchcst.exe
4272	svchcst.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 3824	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	89
PID 1136 wrote to memory of 3824	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	89
PID 1136 wrote to memory of 3824	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	89
PID 1136 wrote to memory of 3092	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	92
PID 1136 wrote to memory of 3092	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	92
PID 1136 wrote to memory of 3092	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	92
PID 1136 wrote to memory of 1480	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	88
PID 1136 wrote to memory of 1480	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	88
PID 1136 wrote to memory of 1480	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	88
PID 1136 wrote to memory of 636	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	91
PID 1136 wrote to memory of 636	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	91
PID 1136 wrote to memory of 636	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	91
PID 1136 wrote to memory of 4468	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	90
PID 1136 wrote to memory of 4468	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	90
PID 1136 wrote to memory of 4468	1136	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	90
PID 3824 wrote to memory of 4536	3824	WScript.exe	96
PID 3824 wrote to memory of 4536	3824	WScript.exe	96
PID 3824 wrote to memory of 4536	3824	WScript.exe	96
PID 636 wrote to memory of 1684	636	WScript.exe	97
PID 636 wrote to memory of 1684	636	WScript.exe	97
PID 636 wrote to memory of 1684	636	WScript.exe	97
PID 1480 wrote to memory of 2580	1480	WScript.exe	98
PID 1480 wrote to memory of 2580	1480	WScript.exe	98
PID 1480 wrote to memory of 2580	1480	WScript.exe	98
PID 4536 wrote to memory of 4808	4536	svchcst.exe	100
PID 4536 wrote to memory of 4808	4536	svchcst.exe	100
PID 4536 wrote to memory of 4808	4536	svchcst.exe	100
PID 4536 wrote to memory of 4376	4536	svchcst.exe	101
PID 4536 wrote to memory of 4376	4536	svchcst.exe	101
PID 4536 wrote to memory of 4376	4536	svchcst.exe	101
PID 4536 wrote to memory of 3552	4536	svchcst.exe	102
PID 4536 wrote to memory of 3552	4536	svchcst.exe	102
PID 4536 wrote to memory of 3552	4536	svchcst.exe	102
PID 4376 wrote to memory of 2016	4376	WScript.exe	104
PID 4376 wrote to memory of 2016	4376	WScript.exe	104
PID 4376 wrote to memory of 2016	4376	WScript.exe	104
PID 3552 wrote to memory of 4272	3552	WScript.exe	105
PID 3552 wrote to memory of 4272	3552	WScript.exe	105
PID 3552 wrote to memory of 4272	3552	WScript.exe	105

C:\Users\Admin\AppData\Local\Temp\2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
"C:\Users\Admin\AppData\Local\Temp\2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
dda7c182baef6953d62085c954d6f43d

SHA1
82d35d46458a3ed05cc3e68abcbc8c8469a08516

SHA256
50f1da102d6c1bdea18d7bc88f1fcc3c8ac58ea3f4a030345bd656c8815ba14a

SHA512
1c47ba5677caee2bd1da78a5d9932e4a6b7172fc45b36d62f5fc3d24a69ba34cb66542a0cfd6ad182ca8cec3369c94c1520fea0381a70590fc55ffab7bd19c30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a938101b9c312ea5747d36466bcebaa2

SHA1
9959340b5625cbc0d2fec35105a26f9fc3861269

SHA256
c81620b4e66ca7e865d620ef939ee1fa3c52159f5b61868311783689a149e00c

SHA512
37184918c219de68dae3b32e64a731921c2bb80d25fdd7c6f744d26cad94c8d1fb56a0e5bf9734ff05ff4b7fb33a9d28f28b0e6be039275959b5720739b75194

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4a33f429bbee8d86e0e5b46a43f571bc

SHA1
518829352aa13783bba886d2f08672ca9ad6f7f1

SHA256
f121e2b2a31155840a162871876c2e35ba3278d35e710fb1857b14ae05ffeb0f

SHA512
5cd262b5384db4c4f9af49cf46e1c1cbef01ea03f5fa3554c3256b8343693497c9279bc894a58cea719fe0489ead294a26c5ef6c839c813d4ddd9d3a97809e8d

Download Submit