107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
Size

1.1MB
MD5

1b3f9301cdb88c64499bdfcaa186bcd9
SHA1

0cc86359a5f8c18bcc5adffb7fae98567bd6f7c1
SHA256

107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6
SHA512

1ce39bc6aa6771428b4f9f367bbd35f7a22e33f1fe4c2405b8927a9ba79dd798ee75e4488dc33d8961725f7b2642f6b46755b469cc83fc1ca3765e29dd9e8613
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzMq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1588	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	svchcst.exe
1004	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
1588	svchcst.exe
1588	svchcst.exe
1004	svchcst.exe
1004	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2304	4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe	85
PID 4952 wrote to memory of 2304	4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe	85
PID 4952 wrote to memory of 2304	4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe	85
PID 4952 wrote to memory of 4392	4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe	86
PID 4952 wrote to memory of 4392	4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe	86
PID 4952 wrote to memory of 4392	4952	107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe	86
PID 2304 wrote to memory of 1004	2304	WScript.exe	92
PID 2304 wrote to memory of 1004	2304	WScript.exe	92
PID 2304 wrote to memory of 1004	2304	WScript.exe	92
PID 4392 wrote to memory of 1588	4392	WScript.exe	93
PID 4392 wrote to memory of 1588	4392	WScript.exe	93
PID 4392 wrote to memory of 1588	4392	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe
"C:\Users\Admin\AppData\Local\Temp\107df80017fc551a1a27f11f054b4e8a76cc73532064ca512a19c07f56e0aeb6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a289b3cbf5be5de2c3703310fe6fbd39

SHA1
7b9ec2b45c11739fead72fafb686827f50996ea5

SHA256
f443ddefab216fe1cd289995c64b6f12de86bb75a3aa0aed862216870e0dcb57

SHA512
43f713b08f3ec9c02fce995b45bfa278cded74c4e1c90b20864a52af4a88e157b5119012a7e346d5e55517e95f1d282fa26f7a356bd5709191e08c6e10d8b2a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f6ed18ae5be78b6eacb99cdf8321b10f

SHA1
06a6d1a4a1846c8fa4025b86816c61a65067d106

SHA256
29a0ef00ca56157d2d6fc6c1d38e502364b1abb3293ff0e9756112dda8dec186

SHA512
dbbbcc736f79901007d49102a2a7a65d0a7c86afe47286a5a11cfd204fb1b7cdc5c20c256b527ea063d591fc526459ee3329e53e3f267c08ba956d1a46fd83c3

Download Submit