c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
Size

1.1MB
MD5

503daa439879c6805cf54a8fcf6a1ece
SHA1

3d38e0d18c2f9fcd0d24cfbc9c31532611bda47e
SHA256

c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31
SHA512

af37f816c8afa8f5bf9ea5f4f022b4dde1d9253a09f3269f2cf3cf1334a2cdc50da768fcc2c4b88246c28e49ab5908a2aa93fec5030599a0531abd276586749b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzMZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
668	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
668	svchcst.exe
2908	svchcst.exe
528	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe
668	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
668	svchcst.exe
668	svchcst.exe
528	svchcst.exe
2908	svchcst.exe
528	svchcst.exe
2908	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 5076	924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe	89
PID 924 wrote to memory of 5076	924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe	89
PID 924 wrote to memory of 5076	924	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe	89
PID 5076 wrote to memory of 668	5076	WScript.exe	93
PID 5076 wrote to memory of 668	5076	WScript.exe	93
PID 5076 wrote to memory of 668	5076	WScript.exe	93
PID 668 wrote to memory of 1764	668	svchcst.exe	94
PID 668 wrote to memory of 1764	668	svchcst.exe	94
PID 668 wrote to memory of 1764	668	svchcst.exe	94
PID 668 wrote to memory of 1572	668	svchcst.exe	95
PID 668 wrote to memory of 1572	668	svchcst.exe	95
PID 668 wrote to memory of 1572	668	svchcst.exe	95
PID 1764 wrote to memory of 528	1764	WScript.exe	96
PID 1764 wrote to memory of 528	1764	WScript.exe	96
PID 1764 wrote to memory of 528	1764	WScript.exe	96
PID 1572 wrote to memory of 2908	1572	WScript.exe	97
PID 1572 wrote to memory of 2908	1572	WScript.exe	97
PID 1572 wrote to memory of 2908	1572	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
"C:\Users\Admin\AppData\Local\Temp\c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:528
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a4da31648189bd6748b9edf48d059fb3

SHA1
60f443dc13556dd3f90bbae3086d2bdfdca06875

SHA256
e7bbd8a067fa79b827daa2fa570c274d7c5d25e02006affbba992f6ea9406240

SHA512
8a5fc53c81a7701a1c48a0a5c3e012bf2ccbf3cbf43cb82cbf2fbfe1221712218c9077964d320cd18a714cd933eabe1a104a902766adc245f68909f4e45ab77f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f34d80cfc0eb52946905e1aec940018c

SHA1
b4a82faabec238b6cf97884ddbf847d9872f87ed

SHA256
dc29049a0fd1f2f100e8c86e0388e485313639305b003f5a15156bf580490907

SHA512
4a598079e66cf7d4a11ee02751d08f1af15c07e2642daf2457a04e22f2d53d7c2a2df29f592b92fd2798321f2c2d60fccc596211ba0c158bc0cb23d0de19b9c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
042b185d443f09182164a6d4becf37a7

SHA1
8d3033a3aa67f71d3d4c3a566d44c1d0823090e3

SHA256
a479aa804ccfe817e841c2af3cb2cf04e66a8e21d0402957d2552a7033c88cfd

SHA512
83304f02ce1b77ac7e01534f430bf7fc911b062dec907b0f476d5d6681f16b654d93ef465a95b2a1f45bdddcb946ef5ae7d1d97aefc08f80f76887a216a04654

Download Submit