4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a

Analysis

max time kernel
176s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
Size

1.1MB
MD5

edbfa105dc18df727be92f0a71b03ee7
SHA1

a66a1e280f698998870d8e85dc94445bb0cbbb0e
SHA256

4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a
SHA512

b8911e0ba8c5ba529d3f0260447823834ca1d3e1b332cb76bcad1a08aba2574f8cba12822778fd7d5ad32eba994bfde1748b99fba9c20728ea8ddec174d5975b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QL:CcaClSFlG4ZM7QzMc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3396	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2548	svchcst.exe
3396	svchcst.exe
3232	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
2548	svchcst.exe
3396	svchcst.exe
2548	svchcst.exe
3396	svchcst.exe
3232	svchcst.exe
3232	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3508	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	93
PID 2868 wrote to memory of 3508	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	93
PID 2868 wrote to memory of 3508	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	93
PID 2868 wrote to memory of 2972	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	94
PID 2868 wrote to memory of 2972	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	94
PID 2868 wrote to memory of 2972	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	94
PID 2868 wrote to memory of 1356	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	92
PID 2868 wrote to memory of 1356	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	92
PID 2868 wrote to memory of 1356	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	92
PID 2868 wrote to memory of 1200	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	95
PID 2868 wrote to memory of 1200	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	95
PID 2868 wrote to memory of 1200	2868	4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe	95
PID 1356 wrote to memory of 2548	1356	WScript.exe	100
PID 1356 wrote to memory of 2548	1356	WScript.exe	100
PID 1356 wrote to memory of 2548	1356	WScript.exe	100
PID 1200 wrote to memory of 3396	1200	WScript.exe	101
PID 1200 wrote to memory of 3396	1200	WScript.exe	101
PID 1200 wrote to memory of 3396	1200	WScript.exe	101
PID 2972 wrote to memory of 3232	2972	WScript.exe	102
PID 2972 wrote to memory of 3232	2972	WScript.exe	102
PID 2972 wrote to memory of 3232	2972	WScript.exe	102

C:\Users\Admin\AppData\Local\Temp\4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe
"C:\Users\Admin\AppData\Local\Temp\4a79f5fd12c68cdb090f9109fe7709629b8e2f7b5b56f15bab79284c91e3650a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
14c861043bf650f28ec070253b31fe07

SHA1
f09eeaa4d2b7f4ac76e270d750c9f7a2903a31e7

SHA256
5e4642211da4ab914634d3e9b9ef062b478705283f85fee82ebaebbc5fd66f10

SHA512
d4bdfc331483306d46acbd366c1cafae9095f4a6fdf1ea84f223c178248cbb6e53905e496e9e13766c365d8e55bdfbfab74195eeb9d50000419b7a22774c9f22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
768KB

MD5
526e42ceb90cee3740855700e1630005

SHA1
8d324ae778a428e4e3680880819a911cfc5b3c44

SHA256
ed29170b618125a491161058fa8f0d1528ba17e2cf855449267b7f8ff1ef0fdd

SHA512
1b27bccb3be0f4aa851d1348abbffcea513f7480254c0d9bba4924589ffcc7855144eb6cbc659a5e323e933a950bcf47a0257154324b00473b4f593a2c5ac232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8d5faa295386e530aee056022ca8cc28

SHA1
801bbe36bc7d1e5d607b3f5785c43e2a27daca7c

SHA256
50b0ca3c491a5a9c1d004351405186469dfe0f20c46485ef6e4ff1673e355aa6

SHA512
96d0c21b4fa9eafb388449bc4c40a0ce7403625d8a390ad84a6f92bbf551e4bec8df003b1b26187e5c8094ab2395fea80599ce1e14874c070ad77702ef74df5c

Download Submit