380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907

General

Target

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
Size

1.1MB
MD5

805cc740136e4935b8b796601e7ea697
SHA1

15a4ac632e7dea6ef5744a1f7301cb36f5aa0e07
SHA256

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907
SHA512

4408ad772d0c57bfa30e1c0bc8015c84163d3bead7d375393373b9b1774b7dd58444468492d44d9b7311f444cc56851cc60def4cca1acaf231a67dbd7e001b55
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QN:CcaClSFlG4ZM7QzMm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2636 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

2580 svchcst.exe
2636 svchcst.exe
Loads dropped DLL 4 IoCs

Processes:

WScript.exeWScript.exe

pid process

2652 WScript.exe
2652 WScript.exe
2092 WScript.exe
2092 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2636	svchcst.exe

pid	process
2580	svchcst.exe
2636	svchcst.exe

pid	process
2652	WScript.exe
2652	WScript.exe
2092	WScript.exe
2092	WScript.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exesvchcst.exe

pid	process
2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe

pid process

2236 380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exesvchcst.exesvchcst.exe

pid	process
2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
2636	svchcst.exe
2636	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2236 wrote to memory of 2652	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2236 wrote to memory of 2652	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2236 wrote to memory of 2652	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2236 wrote to memory of 2652	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2236 wrote to memory of 2092	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2236 wrote to memory of 2092	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2236 wrote to memory of 2092	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2236 wrote to memory of 2092	2236	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2652 wrote to memory of 2580	2652	WScript.exe	svchcst.exe
PID 2652 wrote to memory of 2580	2652	WScript.exe	svchcst.exe
PID 2652 wrote to memory of 2580	2652	WScript.exe	svchcst.exe
PID 2652 wrote to memory of 2580	2652	WScript.exe	svchcst.exe
PID 2092 wrote to memory of 2636	2092	WScript.exe	svchcst.exe
PID 2092 wrote to memory of 2636	2092	WScript.exe	svchcst.exe
PID 2092 wrote to memory of 2636	2092	WScript.exe	svchcst.exe
PID 2092 wrote to memory of 2636	2092	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
"C:\Users\Admin\AppData\Local\Temp\380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fda66701776563380c922727915f195d

SHA1
e02c91e5d19305187d547e29980262ee4b03b477

SHA256
dd96d4d8829f03d030d1e6b4bd9733338035062539816959819c09d475e192d8

SHA512
2dea6da1c8a8365c67d9e63d81b5e1940742e108b1836af1f967623b04d6093ebf3d949184e618b82a37fe2509ab6a763f7ad6ae566ded64b88826a3fa35466a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f6ea7b84e7f0d66e694207551102c5d6

SHA1
4b39ee61e3a4a3db804f5badbfaf066706cd3254

SHA256
afa4e6c5e6a78a384ef29e4f41de24b83d70f185afa5fbbd6bf550a9386d6e51

SHA512
894704669061445d0fc96b193c3352bcf252470bc80d99439cb6e74ff38856a8c4a805c816a3598295695c2916a0bf41190103deab8c076f34b314a58d62058a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads