4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
Size

1.1MB
MD5

edbfa105dc18df727be92f0a71b03ee7
SHA1

a66a1e280f698998870d8e85dc94445bb0cbbb0e
SHA256

4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a
SHA512

b8911e0ba8c5ba529d3f0260447823834ca1d3e1b332cb76bcad1a08aba2574f8cba12822778fd7d5ad32eba994bfde1748b99fba9c20728ea8ddec174d5975b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QL:CcaClSFlG4ZM7QzMc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2916	svchcst.exe
1992	svchcst.exe
796	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2516	WScript.exe
2516	WScript.exe
1896	WScript.exe
1588	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
1992	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2916	svchcst.exe
2916	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
796	svchcst.exe
796	svchcst.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2516	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	28
PID 1220 wrote to memory of 2516	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	28
PID 1220 wrote to memory of 2516	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	28
PID 1220 wrote to memory of 2516	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	28
PID 1220 wrote to memory of 2536	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	29
PID 1220 wrote to memory of 2536	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	29
PID 1220 wrote to memory of 2536	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	29
PID 1220 wrote to memory of 2536	1220	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	29
PID 2516 wrote to memory of 2916	2516	WScript.exe	31
PID 2516 wrote to memory of 2916	2516	WScript.exe	31
PID 2516 wrote to memory of 2916	2516	WScript.exe	31
PID 2516 wrote to memory of 2916	2516	WScript.exe	31
PID 2916 wrote to memory of 1896	2916	svchcst.exe	32
PID 2916 wrote to memory of 1896	2916	svchcst.exe	32
PID 2916 wrote to memory of 1896	2916	svchcst.exe	32
PID 2916 wrote to memory of 1896	2916	svchcst.exe	32
PID 2916 wrote to memory of 1588	2916	svchcst.exe	33
PID 2916 wrote to memory of 1588	2916	svchcst.exe	33
PID 2916 wrote to memory of 1588	2916	svchcst.exe	33
PID 2916 wrote to memory of 1588	2916	svchcst.exe	33
PID 1896 wrote to memory of 1992	1896	WScript.exe	34
PID 1896 wrote to memory of 1992	1896	WScript.exe	34
PID 1896 wrote to memory of 1992	1896	WScript.exe	34
PID 1896 wrote to memory of 1992	1896	WScript.exe	34
PID 1588 wrote to memory of 796	1588	WScript.exe	35
PID 1588 wrote to memory of 796	1588	WScript.exe	35
PID 1588 wrote to memory of 796	1588	WScript.exe	35
PID 1588 wrote to memory of 796	1588	WScript.exe	35

C:\Users\Admin\AppData\Local\Temp\4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
"C:\Users\Admin\AppData\Local\Temp\4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1992
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
81c54d5222fa08de808639f7614b62f5

SHA1
99b162048db57802f0f69a9e7d4fc0cadca80096

SHA256
a833fc64becc398dd38899974b0b4ffe658ba07a7c9e1cf0bb0ac69895793b0a

SHA512
93230934850fb1fe20693c7ce83f414c809c1c7d9abba4f74f934aeb5e98a312665c3263a914dbe0cd917f58ac70d7d44c622b11e6df7562235481bfab58908c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
51648491e56fd6fc05bef843a14f8bd8

SHA1
8579b2a3bf3ce57a8ca382737c4cc743c7d6a080

SHA256
c10595cfea97b44de8e897b3efba2d2ca791d621a1719bedc9f1217cd32cd94c

SHA512
241dacdfa4e37bd3cc94f39a2ef422c2ce79da0726158c42b5b20c12e72bac896be824fb92f57e9ea2cd97d4c28273494257e579860f9071ba6ded035c7a9cdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
274KB

MD5
c8a7f27d94cabe3885e0edf64c0f78a5

SHA1
b00f44d0b6000d4617641066d7cab323c6ce2784

SHA256
0642f59dc898edc12f9ad37f451e07d657e54acf007d9ffa9802cbd9182ba19c

SHA512
a0714b9cb86fbd39413470d15025f95c71e885cb9250dff3902923fe7350956150fcbebc88daa8c8f73da0d763580380a8653b08676da3dcc86ffb461922f837

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
256KB

MD5
dd4d1ac7482d168c572bf55166de1967

SHA1
436af56677faa4439eaef26c1197d6958ff22186

SHA256
db8ead3eeaa02bc3ae12f60f11a5618221cb57d12c1a606611709cbe09a83dc8

SHA512
4822f5ff93c077814656df98171c05b9e6af16ae2e394ab7f9b830abbec0c4a5d32f7fd4005e2f9a2565e815c316cedc063c34bd21299fc114519667d51df5e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
352KB

MD5
19dbe0d8f2d1b434d0367b058956afa1

SHA1
431888426cf00ab570ca4adfd2dff3cb2cef5031

SHA256
acff5676ea66881e568f9c89a92cb96df2a5555949d5e1dc46c5742a5f4e8147

SHA512
91a660f0bfd6c1de2248cb1be0a6df962b6dc4c839b16a79012c993fb8c8d46bc50e9b3b4fb6353eff961481ccb9c9b91eebc2a7f21a595fb87f2e58ad70dcf5

Download Submit
memory/1220-4-0x0000000003FF0000-0x0000000004060000-memory.dmp

Filesize
448KB

Download