b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138

Analysis

max time kernel
121s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 19:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe
Size

1.1MB
MD5

c55e95bcdabeb808055b5b31d1c93fc2
SHA1

4fa3890c48719486b311feb2eb329b0cdda8c30c
SHA256

b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138
SHA512

d3b68332d2b393226f97dabac6373ea46536b737a9a77a24802571e678d47ad263acc9c786d8598fa26859a969e659c6f53abb23460909ff14f7d23c989496ae
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzMY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1176	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
1176	svchcst.exe
740	svchcst.exe
2404	svchcst.exe
2192	svchcst.exe

Loads dropped DLL 7 IoCs

pid	Process
2656	WScript.exe
2852	WScript.exe
2852	WScript.exe
2656	WScript.exe
2512	WScript.exe
2512	WScript.exe
2828	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe
3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
1176	svchcst.exe
740	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe
3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe
1176	svchcst.exe
1176	svchcst.exe
740	svchcst.exe
740	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2852	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	27
PID 3024 wrote to memory of 2852	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	27
PID 3024 wrote to memory of 2852	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	27
PID 3024 wrote to memory of 2852	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	27
PID 3024 wrote to memory of 2656	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	28
PID 3024 wrote to memory of 2656	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	28
PID 3024 wrote to memory of 2656	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	28
PID 3024 wrote to memory of 2656	3024	b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe	28
PID 2852 wrote to memory of 1176	2852	WScript.exe	31
PID 2852 wrote to memory of 1176	2852	WScript.exe	31
PID 2852 wrote to memory of 1176	2852	WScript.exe	31
PID 2852 wrote to memory of 1176	2852	WScript.exe	31
PID 2656 wrote to memory of 740	2656	WScript.exe	30
PID 2656 wrote to memory of 740	2656	WScript.exe	30
PID 2656 wrote to memory of 740	2656	WScript.exe	30
PID 2656 wrote to memory of 740	2656	WScript.exe	30
PID 740 wrote to memory of 2828	740	svchcst.exe	32
PID 740 wrote to memory of 2828	740	svchcst.exe	32
PID 740 wrote to memory of 2828	740	svchcst.exe	32
PID 740 wrote to memory of 2828	740	svchcst.exe	32
PID 740 wrote to memory of 2512	740	svchcst.exe	33
PID 740 wrote to memory of 2512	740	svchcst.exe	33
PID 740 wrote to memory of 2512	740	svchcst.exe	33
PID 740 wrote to memory of 2512	740	svchcst.exe	33
PID 2512 wrote to memory of 2192	2512	WScript.exe	34
PID 2512 wrote to memory of 2192	2512	WScript.exe	34
PID 2512 wrote to memory of 2192	2512	WScript.exe	34
PID 2512 wrote to memory of 2192	2512	WScript.exe	34
PID 2828 wrote to memory of 2404	2828	WScript.exe	35
PID 2828 wrote to memory of 2404	2828	WScript.exe	35
PID 2828 wrote to memory of 2404	2828	WScript.exe	35
PID 2828 wrote to memory of 2404	2828	WScript.exe	35

C:\Users\Admin\AppData\Local\Temp\b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe
"C:\Users\Admin\AppData\Local\Temp\b4115fbe698ec78f6ed7814c72251d8af569422d930f172012f928355daaa138.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b64923d6b0b49b59a49f8a991b190468

SHA1
6938ad8f40c13e08db1e427f7db0d95f85c89eb0

SHA256
1c106c1a3de26609c7d9e3f5ad5bd4de00c6d94b907e2a5c13e3f3138bc60526

SHA512
7be78bf8b2443900fa10f156a2c61eff87f357aece7804383f9fe753e2f718785f7966173e46111cba5023eec4e62874c7d48975102f5e54beb48f1862c7cd7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f921967e656cb3392add8d6a3b914007

SHA1
d828031f44f8c54bb6cc6c569b7453c22b0ce8cb

SHA256
581112569a6ec397517c751d47a5a78e42943fe5d96a4e1ac792b1b2864c8880

SHA512
1630e0ece2a393e44d564b036366ff9175b1d95a9d8fb858c0b3fbb60886ae7deaa46235b16b358ecbbe887ae4f63578cd11849d54d2a70496171f8c4594163d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dc474c43d45e54206991f42dda4cf6f1

SHA1
16d366e2ea274fb0c8b63b07b8f520e3aaab8ee3

SHA256
938e6ce9756492be61a0083653b29bd4ca490367355b9ad731c18c15f3eb7588

SHA512
c7cf48fd3881168f5b35e1a44f7ce604691ae19f94ce885c88da7b3985cd30174547262d75e3292c2515efa81b228eed77a5b8b553a9d8022561fd96a4ba272a

Download Submit