9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
Size

1.1MB
MD5

0231e1676624af500f811a5cb0ed2ad8
SHA1

b2966bef2e46a3eb09df5b0c48754ca6fc0cac5c
SHA256

9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0
SHA512

19263682553e6404500cf7965bb1f1cb95b731c61d71794668c6f0f2121f2d2ff9726138d1b2ee92ab15315cb070850b567042e917eb74297904e08baabfb2ab
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRc:g5ApamAUAQ/lG4lBmFAvZc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe

Deletes itself 1 IoCs

pid	Process
2776	svchcst.exe

Executes dropped EXE 8 IoCs

pid	Process
2776	svchcst.exe
2212	svchcst.exe
756	svchcst.exe
60	svchcst.exe
2668	svchcst.exe
4624	svchcst.exe
824	svchcst.exe
3796	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
2776	svchcst.exe
2776	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
756	svchcst.exe
756	svchcst.exe
60	svchcst.exe
60	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
4624	svchcst.exe
4624	svchcst.exe
824	svchcst.exe
824	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1188	5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe	87
PID 5056 wrote to memory of 1188	5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe	87
PID 5056 wrote to memory of 1188	5056	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe	87
PID 1188 wrote to memory of 2776	1188	WScript.exe	97
PID 1188 wrote to memory of 2776	1188	WScript.exe	97
PID 1188 wrote to memory of 2776	1188	WScript.exe	97
PID 2776 wrote to memory of 3924	2776	svchcst.exe	98
PID 2776 wrote to memory of 3924	2776	svchcst.exe	98
PID 2776 wrote to memory of 3924	2776	svchcst.exe	98
PID 2776 wrote to memory of 1520	2776	svchcst.exe	99
PID 2776 wrote to memory of 1520	2776	svchcst.exe	99
PID 2776 wrote to memory of 1520	2776	svchcst.exe	99
PID 3924 wrote to memory of 2212	3924	WScript.exe	102
PID 3924 wrote to memory of 2212	3924	WScript.exe	102
PID 3924 wrote to memory of 2212	3924	WScript.exe	102
PID 2212 wrote to memory of 4452	2212	svchcst.exe	104
PID 2212 wrote to memory of 4452	2212	svchcst.exe	104
PID 2212 wrote to memory of 4452	2212	svchcst.exe	104
PID 2212 wrote to memory of 2156	2212	svchcst.exe	103
PID 2212 wrote to memory of 2156	2212	svchcst.exe	103
PID 2212 wrote to memory of 2156	2212	svchcst.exe	103
PID 4452 wrote to memory of 60	4452	WScript.exe	106
PID 4452 wrote to memory of 60	4452	WScript.exe	106
PID 4452 wrote to memory of 60	4452	WScript.exe	106
PID 4452 wrote to memory of 2668	4452	WScript.exe	107
PID 4452 wrote to memory of 2668	4452	WScript.exe	107
PID 4452 wrote to memory of 2668	4452	WScript.exe	107
PID 2668 wrote to memory of 3900	2668	svchcst.exe	108
PID 2668 wrote to memory of 3900	2668	svchcst.exe	108
PID 2668 wrote to memory of 3900	2668	svchcst.exe	108
PID 4452 wrote to memory of 4624	4452	WScript.exe	109
PID 4452 wrote to memory of 4624	4452	WScript.exe	109
PID 4452 wrote to memory of 4624	4452	WScript.exe	109
PID 4624 wrote to memory of 4320	4624	svchcst.exe	110
PID 4624 wrote to memory of 4320	4624	svchcst.exe	110
PID 4624 wrote to memory of 4320	4624	svchcst.exe	110
PID 4624 wrote to memory of 4176	4624	svchcst.exe	111
PID 4624 wrote to memory of 4176	4624	svchcst.exe	111
PID 4624 wrote to memory of 4176	4624	svchcst.exe	111
PID 4176 wrote to memory of 824	4176	WScript.exe	114
PID 4176 wrote to memory of 824	4176	WScript.exe	114
PID 4176 wrote to memory of 824	4176	WScript.exe	114
PID 4320 wrote to memory of 3796	4320	WScript.exe	113
PID 4320 wrote to memory of 3796	4320	WScript.exe	113
PID 4320 wrote to memory of 3796	4320	WScript.exe	113

C:\Users\Admin\AppData\Local\Temp\9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
"C:\Users\Admin\AppData\Local\Temp\9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:756
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:60
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
919b5e128d35aad96b80a111572a165a

SHA1
e55a78e0c6c6ca6aa57667d6489698e46154a6df

SHA256
8610324d71788acfd4d0724117b6edec9a503c2b7a6f4a3b68186a0187f9d5d7

SHA512
7820d7beb567ac0f1480f635c0130550a1ae0a6d63beda40a81cdd03cc10974613d22bce9da78310880674057f38503b39829fab5c4aaa87849796c18d07f14d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0d7287608e57c918d75f595179c5fa29

SHA1
d16c5add83d14855a0d674ca2d287ef0233e7062

SHA256
539b077eb4ef610403f7c3cdec3fd11482b2a0c4f3c254c2e8f6f2a51905c9d1

SHA512
0050624a5937e196a1e7d08318d9a499ea706cf8023bf7c6b1ba42a671e98e202ab83723740e9aab99bd6c17c3895ca1f2b17f6e94dd81d1d01c064b997c8bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b665c9bf1055b45502f20b67d3aa05eb

SHA1
d14b19c18093c46b174377e59f70fecb0b5eaee1

SHA256
fedaddf59e1ca8c6b071e8778bad1f6b3c62039e1e23b2315d3f351807f9f8b0

SHA512
f37374d5a03154025a39a109251ef4b35b5b1da0a5efa9cee1344f61e4e3f777a4c59dd870df1e8b8dab95c02de5135dd798200ce2a22035b0e33a58754966d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7041c6b97f95e0e643e7e65ed712f47b

SHA1
1c92ae5f3a53ca67d0c53b6e9126950169201671

SHA256
d97d020036d92d406ad5905860dc773b979caf77de3e354dea4b84783f2be0d5

SHA512
962c79d8ca49d23d3f1767236771d67f5289979f2f5b4854f85819077e3a36a4c049b0b270d23bf91ff84a7513df6a3f1b63bd9c2295750e59af482733c2d654

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
485f8ade1f0b1a9b71ea1297e082048a

SHA1
fd7d07a7ab3c1ebab14dca34e8f579b3fb27e562

SHA256
dece36d80f83aafbade39c3181c074ac298bc239ba78adbe5d92d6809abfa309

SHA512
ccfb21ad3c80e927b7c0a41c5ef8bde2ee4528151ffc258eae3f1d0b64324a792fc9534a7f1d98c3eab0eb667eff0abfc6e93d45eff4bd6ad0d439b3bd5db920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2010d33e9fe010bb7c6e99856175ae51

SHA1
62f3bee7ed47579e4dea055c4663087940cbbf92

SHA256
8be714a76e628fded60afc7cc5a53f73f189893914ed0deabe2b626facc1eab6

SHA512
4a0b74fd7fe0ec521d815e55b3cba2da033fd2c7bd5ef6021d8e24cb31358e68bff338e75fd43c2faa92d3a0cfa4c69f4fb65b21bcc422d0a58b89be6a393901

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cb751270dda23a48a5b6ce8fa8f073a8

SHA1
23df84ded2e77852951333c7c0ebf3634fc8910e

SHA256
acc1d052569f3058d351d6a83ee1f7c8dd208e358213bb313874c56fc7ef80c7

SHA512
1882a1a18e7334a291348cbd763a87fa1cd5e8fd15cab84c586e17723c587979bd7af5b9e9efc88003ecadf60edfa8a5d19ce6f65b97f8057c481cfe09045829

Download Submit