1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
Size

1.1MB
MD5

f3ac5b9c5e2aacfc4a9d1b140ccb393d
SHA1

e78ff87b0a80db8843143234e38b2d1fbd7a9e2a
SHA256

1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23
SHA512

d90f65a7459594823bd083288404566c3f3d0e665c929051f12500b276cc2a160a999430da63f99bef89db88bdc0695c79aef5d255a7d1fea18f626780b65dcd
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QL:CcaClSFlG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1240	svchcst.exe

Executes dropped EXE 16 IoCs

pid	Process
1240	svchcst.exe
1116	svchcst.exe
3740	svchcst.exe
3332	svchcst.exe
3536	svchcst.exe
4856	svchcst.exe
4424	svchcst.exe
3272	svchcst.exe
2256	svchcst.exe
4716	svchcst.exe
932	svchcst.exe
4364	svchcst.exe
1436	svchcst.exe
3308	svchcst.exe
4992	svchcst.exe
1356	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
1240	svchcst.exe
1240	svchcst.exe
1116	svchcst.exe
3740	svchcst.exe
1116	svchcst.exe
3740	svchcst.exe
4856	svchcst.exe
4856	svchcst.exe
4424	svchcst.exe
3536	svchcst.exe
3332	svchcst.exe
3272	svchcst.exe
4424	svchcst.exe
3536	svchcst.exe
3332	svchcst.exe
3272	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
932	svchcst.exe
932	svchcst.exe
4364	svchcst.exe
4364	svchcst.exe
1436	svchcst.exe
1436	svchcst.exe
3308	svchcst.exe
3308	svchcst.exe
4992	svchcst.exe
4992	svchcst.exe
1356	svchcst.exe
1356	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2580	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	92
PID 1648 wrote to memory of 2580	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	92
PID 1648 wrote to memory of 2580	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	92
PID 1648 wrote to memory of 5012	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	88
PID 1648 wrote to memory of 5012	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	88
PID 1648 wrote to memory of 5012	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	88
PID 1648 wrote to memory of 1008	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	87
PID 1648 wrote to memory of 1008	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	87
PID 1648 wrote to memory of 1008	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	87
PID 1648 wrote to memory of 2612	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	85
PID 1648 wrote to memory of 2612	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	85
PID 1648 wrote to memory of 2612	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	85
PID 1648 wrote to memory of 2676	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	90
PID 1648 wrote to memory of 2676	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	90
PID 1648 wrote to memory of 2676	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	90
PID 1648 wrote to memory of 488	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	86
PID 1648 wrote to memory of 488	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	86
PID 1648 wrote to memory of 488	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	86
PID 1648 wrote to memory of 1444	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	89
PID 1648 wrote to memory of 1444	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	89
PID 1648 wrote to memory of 1444	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	89
PID 1648 wrote to memory of 3100	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	91
PID 1648 wrote to memory of 3100	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	91
PID 1648 wrote to memory of 3100	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	91
PID 1648 wrote to memory of 2240	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	83
PID 1648 wrote to memory of 2240	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	83
PID 1648 wrote to memory of 2240	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	83
PID 1648 wrote to memory of 4564	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	93
PID 1648 wrote to memory of 4564	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	93
PID 1648 wrote to memory of 4564	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	93
PID 1648 wrote to memory of 3548	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	94
PID 1648 wrote to memory of 3548	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	94
PID 1648 wrote to memory of 3548	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	94
PID 1648 wrote to memory of 4684	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	84
PID 1648 wrote to memory of 4684	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	84
PID 1648 wrote to memory of 4684	1648	1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe	84
PID 3100 wrote to memory of 1240	3100	WScript.exe	98
PID 3100 wrote to memory of 1240	3100	WScript.exe	98
PID 3100 wrote to memory of 1240	3100	WScript.exe	98
PID 4564 wrote to memory of 1116	4564	WScript.exe	96
PID 4564 wrote to memory of 1116	4564	WScript.exe	96
PID 4564 wrote to memory of 1116	4564	WScript.exe	96
PID 2580 wrote to memory of 3740	2580	WScript.exe	97
PID 2580 wrote to memory of 3740	2580	WScript.exe	97
PID 2580 wrote to memory of 3740	2580	WScript.exe	97
PID 5012 wrote to memory of 3332	5012	WScript.exe	105
PID 5012 wrote to memory of 3332	5012	WScript.exe	105
PID 5012 wrote to memory of 3332	5012	WScript.exe	105
PID 2612 wrote to memory of 3536	2612	WScript.exe	104
PID 2612 wrote to memory of 3536	2612	WScript.exe	104
PID 2612 wrote to memory of 3536	2612	WScript.exe	104
PID 2240 wrote to memory of 4856	2240	WScript.exe	99
PID 2240 wrote to memory of 4856	2240	WScript.exe	99
PID 2240 wrote to memory of 4856	2240	WScript.exe	99
PID 3548 wrote to memory of 4424	3548	WScript.exe	103
PID 3548 wrote to memory of 4424	3548	WScript.exe	103
PID 3548 wrote to memory of 4424	3548	WScript.exe	103
PID 4684 wrote to memory of 2256	4684	WScript.exe	102
PID 4684 wrote to memory of 2256	4684	WScript.exe	102
PID 4684 wrote to memory of 2256	4684	WScript.exe	102
PID 2676 wrote to memory of 3272	2676	WScript.exe	100
PID 2676 wrote to memory of 3272	2676	WScript.exe	100
PID 2676 wrote to memory of 3272	2676	WScript.exe	100
PID 488 wrote to memory of 4716	488	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe
"C:\Users\Admin\AppData\Local\Temp\1e573c1e4245e953d02670bdb90dd26401fe298f551dc9dfdcd497ee07df0e23.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3536
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1008
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:932
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1436
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:3524
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1444
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4364
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4514270aa404823d5b9dce00a686d1bc

SHA1
175e7b7d72119cbdf56d74e12ed5676531836f6b

SHA256
c185a07c0f6ca6757e8ec18d4b79926027a2316ded9077e010cec1ee0c6a98d9

SHA512
97978a968aa437e5a2790dad97ee7027e66a81e0ec07af345c3223a002e430d68ee5a581583bb45aed53039d0f1c92115c3ee9af542ffba737e8c84023d31b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9c6ebeb855d8365f6b0b7a287e7fe441

SHA1
e4f5137a22e52f63cc6fb877a3d7208b2ebd4d39

SHA256
116023ca713ccb77c65fd44478a4be3909b0c1e17a50b16cd19189388d578e45

SHA512
86e45e579c9764453dae79127330a68964ca4f8117ff8da651fa0d5e1e868cecee1ae4ee712a1a7a33bef6b98f448627c67c2a052d2b74c42f7c73bdfbb6582e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
448KB

MD5
92aaa7d282a78337aec37d84aa76bcd6

SHA1
a872ef045e2292f06ae11bab57560ba1d1d8594f

SHA256
77bf6152ba686e52b80b7d495915c58127c672ba34d85aa01dd11938bc134f8d

SHA512
8af8cfc0aefef60c35c5803a7a94bab16160c50c651951c735136834a384de975faf6209333c3af4a0cce6d1dc8883411bbbd9017fee7be6ed0e04e358f6596b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
128KB

MD5
bc1864c83633336ea3d14046f55a915e

SHA1
a0708b453a5d391e5e9267b19de285a839d3ad8b

SHA256
f026e2d94c11085502a28d9203e0d787246439229bfb983e90f50a47fad6be4e

SHA512
23bfd188abd2a24b7e4b9a79caecc98b995c316528a36836b5cbd0d36f7559bbb3e088f72fcffb06827b5e93447bda54831261d36bef342589c12b3691e23310

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2e4a606c7eebc46d97e8f0f0b9d1e266

SHA1
c104189e1c74767b06906c184016494d443d30b3

SHA256
8cbab76b1bd3dc61eb1ced1cc1adf3e028bd91732501b502f3e33ba8bec3e821

SHA512
00d9d9b923873dd12669f31b8462a1c5c78d8b335edffc85a9710bb7633770bf0625aca5ec3c98c2f829e41266cda3584c801a048cc5cfb80d4f8c1e10dff42b

Download Submit