c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60

Analysis

max time kernel
141s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
Size

1.1MB
MD5

4acd69ee204daeb9d798de8a184fbb0e
SHA1

36f010700608ff701d76db6ce338e2d9158bd5bb
SHA256

c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60
SHA512

654265153c4aef0a6bc42a9796af41627fc22a99ad457479f8d81db25e534e99da0f63435bc77d670b09dbe01d61f4e5d703922b6ff19a57e00679e54505da3d
SSDEEP

24576:aH0dl8myX9BBT2QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:aCaClSFlG4ZM7QzM2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
448	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
448	svchcst.exe
4060	svchcst.exe
4552	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe
448	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
448	svchcst.exe
448	svchcst.exe
4060	svchcst.exe
4060	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1884	4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe	87
PID 4296 wrote to memory of 1884	4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe	87
PID 4296 wrote to memory of 1884	4296	c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe	87
PID 1884 wrote to memory of 448	1884	WScript.exe	98
PID 1884 wrote to memory of 448	1884	WScript.exe	98
PID 1884 wrote to memory of 448	1884	WScript.exe	98
PID 448 wrote to memory of 1728	448	svchcst.exe	99
PID 448 wrote to memory of 1728	448	svchcst.exe	99
PID 448 wrote to memory of 1728	448	svchcst.exe	99
PID 448 wrote to memory of 3656	448	svchcst.exe	100
PID 448 wrote to memory of 3656	448	svchcst.exe	100
PID 448 wrote to memory of 3656	448	svchcst.exe	100
PID 3656 wrote to memory of 4060	3656	WScript.exe	102
PID 3656 wrote to memory of 4060	3656	WScript.exe	102
PID 3656 wrote to memory of 4060	3656	WScript.exe	102
PID 1728 wrote to memory of 4552	1728	WScript.exe	103
PID 1728 wrote to memory of 4552	1728	WScript.exe	103
PID 1728 wrote to memory of 4552	1728	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
"C:\Users\Admin\AppData\Local\Temp\c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4552
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3656
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f9be903aac6bbf74e29ac54b19586ef5

SHA1
4d7c8fad29ee75c5056d37f7f13f87490e18beea

SHA256
f0b3fa02eea231c78fef36b792793c4ee5f7ef52b4dace29dd7b1f06f7619509

SHA512
1f942f7b84e7316ae57630ccd8261743ba8da0fe70e6ead12e90d57e109b74b400e7e7be0e03e67072d14da1a1700da752858b7cd1256d0511bfd45c2b27ffc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
81d26c0cee157d2f55ce6519b57efcd1

SHA1
7a15b768cca2d4175e925dd7e7dc11572a961d20

SHA256
8ff0ba90fa20a17f1078f72d4e92df3fe065ed02c9ad29dda8fa92df23a72a99

SHA512
a2cab7eb66bc7fe4af738acf59530654723502f8935e3e9ea3ce5f316c9ef2dade39724d657d7c6d83e3285ea49fc04b9591050b85c0c1d45d7fa5dffcccb75b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4c2c7e220f1d99823ea8416dfcf055cd

SHA1
d3b0f4b1bf5379e19e336692e14e3c621b403207

SHA256
d4e2c598e81c555b567edcc228ea478cf75dd33ef39447efc018a7ebba86d3eb

SHA512
be999f4a0d74d20d7e52f3f3107072033f56ea223cf060e18fd24b61a6fef5a4df68f934c691c9bfa40cef78dfc6225b80b83e2ea8a5b08a867fa70a9764eeaa

Download Submit
memory/448-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4060-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4060-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4296-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4296-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4552-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4552-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download