Analysis Overview
SHA256
9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e
Threat Level: Known bad
The file 9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e was found to be: Known bad.
Malicious Activity Summary
Kinsing
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:35
Platform
win7-20231129-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 9ac34382b3b2b527e79a84793e273f78 |
| SHA1 | 060474ffdfe4ed5f2981a4059bb27bc5aa2ca21e |
| SHA256 | ec2b756bcd86c66931828932e2faf585f6792b46c1cbb4dad6251c38943d475e |
| SHA512 | 36b6f137ddfee7d1ea9506fc0a0e19368b87655f5eb50380dd97ac9eafa69237bb8cba9d33cbdc3a7b42797d099453ff2b0aa4bfff42df1846ed86fc432b309a |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 44359611d3dbda466f71868d64ac2dcb |
| SHA1 | a72d353406c55d60d2c253fcb6d4d9b0d1698746 |
| SHA256 | 54a155e2ecf45901a714f8c504e9fd3e53266d91a321180605aea7d1fcbcc741 |
| SHA512 | 52c09ebb563f136cc3f4ca7bbbb8dcbc3fdf1b79b2ca290411fc6015534a2499722e8c8abd446d8cd3e7276a85d76700158816eb0272897e8d9ac7b73a930480 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 1c4a20bad462e2ead31b207cd4b0dd1b |
| SHA1 | e6037559a47f711d0e930c907b6c33269cb8ecb9 |
| SHA256 | 7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e |
| SHA512 | 78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 619955d43a58558c766025119a5a66cb |
| SHA1 | cfb43d2b9cb68699667ca8d4929e71b25ed115ab |
| SHA256 | a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee |
| SHA512 | 20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | f21c274add6f68abbe173d5a56cd1b87 |
| SHA1 | ec21a2daf446e350caceb7cd442c7c884114e704 |
| SHA256 | 9d5ac21c38e1a8957ee4955df4ddd82cab5924e5bf77c224875330849352291e |
| SHA512 | 502a7d33358778d639a3d77122d8141ff359586b94526b8edb506617ee9c4b4aa4efe3d4a842842b432b4153bdb5fadde409300074f765454aa08594ab39a30a |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 2e698d56b34d4d58156fbe00e6b9a1c6 |
| SHA1 | c74f3d5fca80e69fa614b829abb23fa31d891604 |
| SHA256 | 7742873ac05e7679a3fa9eafc987a68f44912ce22feeb8d1843a622916611ae7 |
| SHA512 | 02aabbd08b1dbbc09332856f43e06609aefda5d9f72d523b80e3aa580213cb2d1f532867a6f61c61e6e0c5d6931d6753d2ab5d4898d53743f36e3bae1a92c9e3 |
C:\Users\Admin\AppData\Roaming\svchcst.exe
| MD5 | fbbf6e2ccb0dbb078fb65c536cc89f47 |
| SHA1 | 80f5bcefc153470b07e7f49d845a992070a46449 |
| SHA256 | f3113785dad80bf60bb5a23a2578e7086e5b1a303d28e0e6a4c64c9221f53663 |
| SHA512 | dfdc04fc0c3d919c72a4c377bef113d397b97a09563cb81c83a622c7fa26bf629b6b8bdbe1e5530e6b85a7bb66b730950aac9f0616c7b2bd73250839a73b03b1 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 3ed43de1cee96aaf1d64189d4482a672 |
| SHA1 | a346f6b3eca7b8442021d9878288d91084d00d79 |
| SHA256 | b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98 |
| SHA512 | 8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | e8b040d53d137dcf8b232ed1366edb70 |
| SHA1 | 28a7d40298f23d5dc1d94206ef38e4397ed960c8 |
| SHA256 | d3eeba3305e4a16b8a5d26c479016f55dff772f7215e70c8c60d388972ab2ec6 |
| SHA512 | 94db32b97d7181f37346f43abd394db33d03d881eee1d12b0d8feecae667cb0a55a3d557a5b0c5d3b815a7df7658e263bb20d8158c557258deeddc541d731711 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 6c7c14146ea4f274fb125f7272c7657b |
| SHA1 | d42b2069f27a259a2e94d04ffd5f4139753b93cf |
| SHA256 | bc821b5517428117ed808690c3d0e9a4f962e25d6bd0c0946c520c78ec3b773b |
| SHA512 | b02e7c44544fef5a13c8a03936f0a5a8371006588cc20281fd006bb987f1e0af64807f018243737d100825eac65851938d01db0d42f91195def1619d11fa9e64 |
C:\Users\Admin\AppData\Roaming\svchcst.exe
| MD5 | a8836fd41f4a97a2a022a92da983fbe9 |
| SHA1 | 050f2452612b9f67ab3e26ee78e1447b61785ed6 |
| SHA256 | a1e5959d4e02e09451ce33e3e37cbfe6333c19a35d33cf35766e619853f56212 |
| SHA512 | 856fbcb3ab4914191d48fabb92c3f959f85558d70cb9dd5077eb42aadd535c545e582e8e8775e2055c37c5bf8b39f22f0d6e939dd18ca17458c1276c4e99d8f6 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 4433cc23fc280ad8dcff9966bac19fe4 |
| SHA1 | 62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0 |
| SHA256 | ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b |
| SHA512 | 6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 1ef0f0b572c2f4293cad723d25d00c42 |
| SHA1 | 21070aedce103ee5e41ef411b732699f04623804 |
| SHA256 | 92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3 |
| SHA512 | 0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | f357ee21e8909b2637bfc8fb601b07f8 |
| SHA1 | 57dde600c63cc54bf3a32a6c0ab046fe7f73e18f |
| SHA256 | 1653df838ea35052ce23026f3ce82671010ffe2a5cf5e73b127d6492ddec0b5a |
| SHA512 | 848cf5b987c346b0f47b18575b9f78bf0e431501a74f2615314c08f8f3ad80013eeb3f2c61ac16bcf1071db13e4f065e1f134f797d3588d7a7201817eee975d3 |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 1c8384e69e50f70352988a68e7a53ae9 |
| SHA1 | 256f9088ae2bd58bf9fd82147b39b6540625b15c |
| SHA256 | e33d02a2be228cf314b0c83529ecf0ff98524e9688afb31c6af1baeaf4835429 |
| SHA512 | cc13bcded1eceb51c6f2807e9616235d423df3a52d4d738e6e3fc25336f0cc9608cdb0d4fc66aeb859de18eafb90829ed0d7b8ce1e57f386ea81018030a2c87f |
C:\Users\Admin\AppData\Roaming\svchcst.exe
| MD5 | 60e1ca004125977d1f8980464e2cfa70 |
| SHA1 | 1e0d6c3220aa75f664324f2abe0d19a5b7c69b92 |
| SHA256 | db86d9c6b47699812951766de422440605268b55b76b2ab35a912554f030dbe5 |
| SHA512 | 8bcb79b00c658f67f9d69933a744f354176577548954d9ecae2981089a175cd56a5e7ddbdd4b78b920739b4ed3c5529852ea646f8d91a083934a3ac05181e06f |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | ddd204c2596c95e0b37f2faf17345158 |
| SHA1 | fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2 |
| SHA256 | 6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2 |
| SHA512 | 17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 8791e512506fcb2893ca2a7b33738a44 |
| SHA1 | 00e931316c854293abe79989380f30de85c8447b |
| SHA256 | 581dc56e5bf85e9e8f3187df45e62d6cf90a089b96f317cadd5e3f4a975b0344 |
| SHA512 | 8b94c449794bd88bc0ffcf8e8f60c2d3f84ca9837ed0c592a90377c2a277ffc44f83a1b485cee2ad9769b8ca96f3fc8cd1cd1d162b3cd8fcfb789830b022b2d1 |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 707b321aecdadf975041a3aba828beef |
| SHA1 | 5fd7ef898c46e4e9d682b81505666eaceb0da001 |
| SHA256 | e3e787b1a13be39d24ce7f8d5194ce9cf6d028350a9635f84c46ba6b97deace3 |
| SHA512 | bf07b1d493a57fc79ac6c430720e81bd1cf23e13b8f579f9c10fc2ed87f8970de2215e85598a68a010f6023d084baf39c9f792525c6b5c2f24b6079000dc6d52 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 951aaea1269f2a203f3dd7cd181c5d34 |
| SHA1 | 3623d216764b24aa0b02cbc136287252bf5b412a |
| SHA256 | 228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4 |
| SHA512 | cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 234d3bd7d4c79c9f8515c4e3812a1c9b |
| SHA1 | f0add1f9e02bad7016d7b183f6d64d4800df4e12 |
| SHA256 | c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0 |
| SHA512 | 3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 2c3b5340da071ac89dded61dffd49fb5 |
| SHA1 | 77a880658d0b70e5455379099427bfdae8cc0ae8 |
| SHA256 | d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e |
| SHA512 | 7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 5f762b3b2477d92959f29d768008d453 |
| SHA1 | ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97 |
| SHA256 | 5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5 |
| SHA512 | fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 18daeaff7fc134fc2edabbaea7e7e9f0 |
| SHA1 | a6a3002f7828141bac042e08241df957ef348bb4 |
| SHA256 | 56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303 |
| SHA512 | 6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | b10f68ba9ebd3b819da4be2e0d597f4e |
| SHA1 | b0fc0bd7169fe45a1116116c20ceef191b96037e |
| SHA256 | 833e2453eafe6b716d5f3bfd62c9142e6cfe17d44604a9cb64b166737aa8d9f4 |
| SHA512 | 901c8a1edb4233c3eee92fdc2f7cb546cf34acf84a89cd20c60948e6ce7f9c7a35fa074921b8a01623cf90f32c8e32a4ee981fe84ce416e10a7b82770abdc381 |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | c90d3f79161670ce94f06e5514560453 |
| SHA1 | 453afe30dbfca2586ef0b6536dbe1c35ab9eefda |
| SHA256 | 862cdfe637dd5458c1521a1a3aaa74be322647e08e13fd7d13e43a8aa6f23825 |
| SHA512 | 936b8e3277f502164804ce1c00f22eef00b7d256b4653b5db5b2b03088d3dfd20b51ada50b867bf6afebf0eef6166aa57bb55dfb89a718b00c87abe8ce171e1f |
C:\Users\Admin\AppData\Roaming\svchcst.exe
| MD5 | b08fbf68e6da490403ff16381636f4db |
| SHA1 | 3f38f922b7eaaac8fdd722302be99155a26248d8 |
| SHA256 | 17acf6eb824c95d1f72d5bf1c5b3f7597a98c6edb722dcf483a93e43d72c6de5 |
| SHA512 | 7907de422c1c0a3f93eaf36d06ecda7f89df7b2ad0b53b623bdfbef49930db7c3348f0985992f4a57609938b214d3f06aa3d105bd729749c56220b3cd6b1b47f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:35
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Kinsing
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 4b5a0a618e78ccbe04e0786d8c283ce0 |
| SHA1 | c937fb61b98879f219aab77cf0844320f69ba0ba |
| SHA256 | 177a1c11edd7f933c52ccc6bef99bfeeda7c342243872be1276cca5e27cdf33d |
| SHA512 | 1043469036b8b3371c07bd43bd45ea2b8441db0fa5fd369086b8236560561e208542d472aa428a2677a3b789dadeb204c911fb1af2e7ae85dfd26f72a18ba16b |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | f469cdf8df240e14025ba8608a893e94 |
| SHA1 | 9ed94d56da438f293ba371373f3f204c7d1c5269 |
| SHA256 | 3627e902a55ffa64f7e1a096ab4d5e9a7fa66d444e4e476b9726ce8c075d3778 |
| SHA512 | ec6645adea7634428a5502a53c47501ef71456c893d740b3d47c5ef4effa566521f5ab31d9d1adc64c3ab2d188e03b205412490aace3a75734b758fd59095f5f |