4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3

Analysis

max time kernel
90s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
Size

1.1MB
MD5

a5804c8bf24c287f5645b3dc5d6db759
SHA1

2ee81bf5868785878044ac2fec05793f4ae970bd
SHA256

4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3
SHA512

855b8afe6079b214f374c44c2fb3a68679eda21d3646919c5f832d7ad1b5715c34936e7639caeed934a01128eec88110d4b9be8cdf1362e23648f9752e05b362
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Ql:CcaClSFlG4ZM7QzMO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1284	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1284	svchcst.exe
2064	svchcst.exe
1808	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
1284	svchcst.exe
1284	svchcst.exe
1808	svchcst.exe
2064	svchcst.exe
1808	svchcst.exe
2064	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2664	2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe	87
PID 2920 wrote to memory of 2664	2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe	87
PID 2920 wrote to memory of 2664	2920	4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe	87
PID 2664 wrote to memory of 1284	2664	WScript.exe	93
PID 2664 wrote to memory of 1284	2664	WScript.exe	93
PID 2664 wrote to memory of 1284	2664	WScript.exe	93
PID 1284 wrote to memory of 3188	1284	svchcst.exe	95
PID 1284 wrote to memory of 3188	1284	svchcst.exe	95
PID 1284 wrote to memory of 3188	1284	svchcst.exe	95
PID 1284 wrote to memory of 1652	1284	svchcst.exe	94
PID 1284 wrote to memory of 1652	1284	svchcst.exe	94
PID 1284 wrote to memory of 1652	1284	svchcst.exe	94
PID 1652 wrote to memory of 2064	1652	WScript.exe	98
PID 1652 wrote to memory of 2064	1652	WScript.exe	98
PID 1652 wrote to memory of 2064	1652	WScript.exe	98
PID 3188 wrote to memory of 1808	3188	WScript.exe	99
PID 3188 wrote to memory of 1808	3188	WScript.exe	99
PID 3188 wrote to memory of 1808	3188	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe
"C:\Users\Admin\AppData\Local\Temp\4377d50c2c4942f7e75191d36d2438ee77af80aeb85a0a64b8a85343a12b64d3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5d8f52544209ea29552eb8db687a8828

SHA1
d1d4c5c889bd50e498c168c84bebb13fea6ef3cd

SHA256
8659a08e56684326b81fdbfd6f05d1c3b95d6d2ae10ccc595435bcea11936acb

SHA512
10f8be2b5e78aa4e691a11199ca1f89f1c15682052f830222ae7b7591404742b76435dbec03fa6af9be0e208cf02d085f24aca4ca919f5786241068379ef1b78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f3ed3b3e73d2180680fd6b5512dc3073

SHA1
4125f7c28af1889face5d070764b060b21aed2c4

SHA256
ef0de1e66d3a97a260b097d739098e15c382e4fbd0f6b527bcfc3dd5177a5e7a

SHA512
1f92e13d4fc8c6bbcb1b89bc5c819275906c5d21e993d37020a920252adf5333478820ca7c11b7d3af4610c4f58de368a15c6f90c1febac6733eef3bbc132164

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c6ca3325797a8588df19640fddb23aec

SHA1
9522fb5d44877c4cf7fb5e77be5ad1797443e56b

SHA256
53116488787ced214e6980cc8e927799666a1f3db587c36a10c3a05581ca3b0d

SHA512
9414887c21006c395c1d268e0171831610091eb526554802f4cb0769f152cf0a0b67220d1a46c0c2379c69e5ba2b4e3bf2c1c1aab7eed44ccd74cc08f64b9b04

Download Submit