63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
Size

1.1MB
MD5

e50d5554bdf5dd311d616b88a836e5ea
SHA1

ee014ed7530ed5259086fa1c1904f945072dcacf
SHA256

63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11
SHA512

501001b0b9145cbc2f006513ab97432fa2554100420c2b5c272e8653027bbc1386d2e1d60a7e8b70bb32326848e7fc9ccc31389c664963f89bc0bbce5a1ad4eb
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q1:CcaClSFlG4ZM7QzMu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2004	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4076	svchcst.exe
2004	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
4076	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
4076	svchcst.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 4492	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	90
PID 1568 wrote to memory of 4492	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	90
PID 1568 wrote to memory of 4492	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	90
PID 1568 wrote to memory of 4156	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	89
PID 1568 wrote to memory of 4156	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	89
PID 1568 wrote to memory of 4156	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	89
PID 1568 wrote to memory of 3652	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	88
PID 1568 wrote to memory of 3652	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	88
PID 1568 wrote to memory of 3652	1568	63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe	88
PID 4156 wrote to memory of 4076	4156	WScript.exe	95
PID 4156 wrote to memory of 4076	4156	WScript.exe	95
PID 4156 wrote to memory of 4076	4156	WScript.exe	95
PID 4492 wrote to memory of 2004	4492	WScript.exe	96
PID 4492 wrote to memory of 2004	4492	WScript.exe	96
PID 4492 wrote to memory of 2004	4492	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe
"C:\Users\Admin\AppData\Local\Temp\63e590730e92d1d80f966434e948c4f56e16915ffa74115b7bf4d5e6f7e94c11.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
75a0573c63dfdf13ee2366e56d2c9d15

SHA1
61f2e061d50f73003313fcc9fb5ff13f5a4c24f9

SHA256
ccd979e10e3be2238af39ec81701bd24c3fd3ec36b4d0f806f8676dfb971e7c5

SHA512
8127fedb0999390ecad3e65bf207a9cb0536e30d3c1918f249b2afcebe84ef54455d7e3f5305ae567966e63df56f6d80c6f9c0e709805d3b175668504ed655e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e8d0e8bfa7d67ad3df6861295134a5b2

SHA1
5d2c9bc099f3a2509e10a9d04cf589a71fcc2d7a

SHA256
00b0fbad35a17c7af694de11f6a4dd1c5232bdae9d051bfab77177f4b9fd0eed

SHA512
fb7e4eff15fd56e962df0b5c2ae1105ffb7ba82894325d45db47a99c041ff2cea0c43e6eb4db439e9dab482b63780ab4c973055ca4f827988fcdbf86763b198a

Download Submit