3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
Size

1.1MB
MD5

b181e1e0dadc34795bd14e23726ff86f
SHA1

729104c13ede6b6de7a49ed27b2d6b30c9081f10
SHA256

3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625
SHA512

fb9da33486521ee96fa422c6b46d47bbd13c554791bb012ddaedf21a598011a80d51b5a9a38148e3dfb600112960e2f966f0bbe41eb68d5a5103d2712766fb86
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QL:CcaClSFlG4ZM7QzMc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
716	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
716	svchcst.exe
4052	svchcst.exe
3816	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe
716	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
716	svchcst.exe
716	svchcst.exe
4052	svchcst.exe
4052	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1380	2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe	89
PID 2952 wrote to memory of 1380	2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe	89
PID 2952 wrote to memory of 1380	2952	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe	89
PID 1380 wrote to memory of 716	1380	WScript.exe	95
PID 1380 wrote to memory of 716	1380	WScript.exe	95
PID 1380 wrote to memory of 716	1380	WScript.exe	95
PID 716 wrote to memory of 1676	716	svchcst.exe	96
PID 716 wrote to memory of 1676	716	svchcst.exe	96
PID 716 wrote to memory of 1676	716	svchcst.exe	96
PID 716 wrote to memory of 4476	716	svchcst.exe	97
PID 716 wrote to memory of 4476	716	svchcst.exe	97
PID 716 wrote to memory of 4476	716	svchcst.exe	97
PID 1676 wrote to memory of 4052	1676	WScript.exe	100
PID 1676 wrote to memory of 4052	1676	WScript.exe	100
PID 1676 wrote to memory of 4052	1676	WScript.exe	100
PID 4476 wrote to memory of 3816	4476	WScript.exe	101
PID 4476 wrote to memory of 3816	4476	WScript.exe	101
PID 4476 wrote to memory of 3816	4476	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
"C:\Users\Admin\AppData\Local\Temp\3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4052
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ea96fa6df82ad8cab1b6d655bd096a68

SHA1
cf8818bb54bcbbef01b2ca0c22417b31ec7a3ce7

SHA256
df12852148325334a018ce8e9d4905321c302643403535a717e114c3b66196e9

SHA512
18e0c4d20704af06bb9a0cba253100f0832c00fd02f604d400c547f7d6d8454cce71b7366bc930560b0c579859c250afe2ca8b1d0491bc705d9a2fea78e06a28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
edefa4c5480c8685164e404d87cb1389

SHA1
d7332ae56ef6ad186500e501eef0539b730f5c49

SHA256
5955a0126135a94d9a6c93315d18fdcefec933a9ded21cadc65b6bf9769a085b

SHA512
2dda596d73a975ea7eadd8b00f7dfe3549dee03af7b83171883718f4933823a92cd541116020bcfee4ba67ac71c59bef12579405624fa644e85a20ff3d3e0e56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f27439b1d5ffb33c8d4c26e688cc60ff

SHA1
61c7cd5004e22b63b6d29cb266a00f0c4543b18b

SHA256
7c5032667039c764ab5e3f3ad35419c289aea2e75e75e7fb006af268e27ecdf9

SHA512
0da1fdbdfe94f25d655595d43a73013b7ca939a33ab8ded6e476a77bcd08621c38109705772f27d8f75a233f18162bfabee6a3beb213262e7ebaf3ef78587c14

Download Submit