9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
Size

1.1MB
MD5

9c3efe3fe4908dc207a26c4eafe31b09
SHA1

ac6d84d5bc5c13835df7acaeed94cbd46f6042ea
SHA256

9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b
SHA512

fd8125bd2d93987dd1add45aeb59ed2aa3255ccafd024bded9fedfba75342599e3f050e80e6d08169086611ec82fddf4eb88c5af4a81a41c633fdfa52e1c7174
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qm:CcaClSFlG4ZM7QzMt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchcst.exe

Executes dropped EXE 11 IoCs

pid	Process
4940	svchcst.exe
4760	svchcst.exe
3292	svchcst.exe
3300	svchcst.exe
2200	svchcst.exe
3980	svchcst.exe
2312	svchcst.exe
3504	svchcst.exe
1184	svchcst.exe
1164	svchcst.exe
3264	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
1184	svchcst.exe
1184	svchcst.exe
1184	svchcst.exe
1184	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
4760	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
3292	svchcst.exe
3292	svchcst.exe
4760	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
3980	svchcst.exe
3980	svchcst.exe
3504	svchcst.exe
3504	svchcst.exe
1184	svchcst.exe
1184	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
3264	svchcst.exe
3264	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2540	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	99
PID 824 wrote to memory of 2540	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	99
PID 824 wrote to memory of 2540	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	99
PID 824 wrote to memory of 2112	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	90
PID 824 wrote to memory of 2112	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	90
PID 824 wrote to memory of 2112	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	90
PID 824 wrote to memory of 4048	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	98
PID 824 wrote to memory of 4048	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	98
PID 824 wrote to memory of 4048	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	98
PID 824 wrote to memory of 3632	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	96
PID 824 wrote to memory of 3632	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	96
PID 824 wrote to memory of 3632	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	96
PID 824 wrote to memory of 692	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	97
PID 824 wrote to memory of 692	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	97
PID 824 wrote to memory of 692	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	97
PID 824 wrote to memory of 2660	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	95
PID 824 wrote to memory of 2660	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	95
PID 824 wrote to memory of 2660	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	95
PID 824 wrote to memory of 3876	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	94
PID 824 wrote to memory of 3876	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	94
PID 824 wrote to memory of 3876	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	94
PID 824 wrote to memory of 2104	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	93
PID 824 wrote to memory of 2104	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	93
PID 824 wrote to memory of 2104	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	93
PID 824 wrote to memory of 1100	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	91
PID 824 wrote to memory of 1100	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	91
PID 824 wrote to memory of 1100	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	91
PID 824 wrote to memory of 644	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	92
PID 824 wrote to memory of 644	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	92
PID 824 wrote to memory of 644	824	9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe	92
PID 2104 wrote to memory of 4940	2104	WScript.exe	101
PID 2104 wrote to memory of 4940	2104	WScript.exe	101
PID 2104 wrote to memory of 4940	2104	WScript.exe	101
PID 3632 wrote to memory of 4760	3632	WScript.exe	102
PID 3632 wrote to memory of 4760	3632	WScript.exe	102
PID 3632 wrote to memory of 4760	3632	WScript.exe	102
PID 4048 wrote to memory of 3292	4048	WScript.exe	103
PID 4048 wrote to memory of 3292	4048	WScript.exe	103
PID 4048 wrote to memory of 3292	4048	WScript.exe	103
PID 1100 wrote to memory of 3300	1100	WScript.exe	104
PID 1100 wrote to memory of 3300	1100	WScript.exe	104
PID 1100 wrote to memory of 3300	1100	WScript.exe	104
PID 3876 wrote to memory of 2200	3876	WScript.exe	105
PID 3876 wrote to memory of 2200	3876	WScript.exe	105
PID 3876 wrote to memory of 2200	3876	WScript.exe	105
PID 692 wrote to memory of 3980	692	WScript.exe	106
PID 692 wrote to memory of 3980	692	WScript.exe	106
PID 692 wrote to memory of 3980	692	WScript.exe	106
PID 644 wrote to memory of 2312	644	WScript.exe	107
PID 644 wrote to memory of 2312	644	WScript.exe	107
PID 644 wrote to memory of 2312	644	WScript.exe	107
PID 2660 wrote to memory of 3504	2660	WScript.exe	108
PID 2660 wrote to memory of 3504	2660	WScript.exe	108
PID 2660 wrote to memory of 3504	2660	WScript.exe	108
PID 2540 wrote to memory of 1184	2540	WScript.exe	109
PID 2540 wrote to memory of 1184	2540	WScript.exe	109
PID 2540 wrote to memory of 1184	2540	WScript.exe	109
PID 1184 wrote to memory of 4280	1184	svchcst.exe	110
PID 1184 wrote to memory of 4280	1184	svchcst.exe	110
PID 1184 wrote to memory of 4280	1184	svchcst.exe	110
PID 4280 wrote to memory of 1164	4280	WScript.exe	112
PID 4280 wrote to memory of 1164	4280	WScript.exe	112
PID 4280 wrote to memory of 1164	4280	WScript.exe	112
PID 4048 wrote to memory of 3264	4048	WScript.exe	113

C:\Users\Admin\AppData\Local\Temp\9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe
"C:\Users\Admin\AppData\Local\Temp\9a24ef5fab79ae82e1cd43f109373d2aa9057c66e5a2657598db7f10d46ad63b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:3300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4940
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3292
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4540f54fba6cdff6e552b8cd03952b65

SHA1
130038ec1e8ca18a0038e4ab8eb715c37506ad1e

SHA256
af3a5c10f16cc7ca6c27dc679f014a4cd5564021841c97e19a0072e9d6b5d468

SHA512
86527d27a367d2d9492f6f236418d2686f8d561f2b586d215d4e2d704a395f750000531baacb280aa2c632e6dd1b43ce011b5dcb8ec75d65dcccec4c5aea3df6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d6fab720e72bb20a1811b1a63598f0d3

SHA1
117d17b5d407d1ce4cf68051f175f54d677f7877

SHA256
a457c2d67d5048c2d9e3b24a7f3a5189d3cfa90340f6ecd3c283de56a7c6c852

SHA512
0849ddf6bbabd2c454804885d27bd1b6f2feb825f0c765cba1701164637d21799897f38133e039a2a16711311756baf2e3c02b25a2a3324d72889ffec8e1f62d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a872d220446267c1f62581e32bb9be98

SHA1
766c537174955d987a954154fe934aeec066c948

SHA256
7444624ca205301c9872da4898fc4f33207c0477883f77cbf148619948458c8b

SHA512
b8daa5ee301696193b5889d22e1134aa6f64c0868a9481a4bcfd3cd8d30af57d50e270c33474e73c8d902a366542c1724489b487823ee48e14e2cd4df8aabe55

Download Submit