a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 21:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
Size

1.1MB
MD5

5ea79538eb3fe4be756e953f36e0989d
SHA1

b6e04bb15dc6ac0b5c09ca39fa408c100d912b06
SHA256

a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11
SHA512

2faa1b5298a90d3f4a78b3cab4a1ddebff9baede156e2b65041c6c931b1504cbe9f2c8d4b47ab701b6297e32184cbd0db2830a9053780bfd96ac3b5024c07a03
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QD:CcaClSFlG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2916	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2916	svchcst.exe
4480	svchcst.exe
4068	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
2916	svchcst.exe
2916	svchcst.exe
4480	svchcst.exe
4480	svchcst.exe
4068	svchcst.exe
4068	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3584	4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe	84
PID 4316 wrote to memory of 3584	4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe	84
PID 4316 wrote to memory of 3584	4316	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe	84
PID 3584 wrote to memory of 2916	3584	WScript.exe	88
PID 3584 wrote to memory of 2916	3584	WScript.exe	88
PID 3584 wrote to memory of 2916	3584	WScript.exe	88
PID 2916 wrote to memory of 3988	2916	svchcst.exe	90
PID 2916 wrote to memory of 3988	2916	svchcst.exe	90
PID 2916 wrote to memory of 3988	2916	svchcst.exe	90
PID 2916 wrote to memory of 3480	2916	svchcst.exe	89
PID 2916 wrote to memory of 3480	2916	svchcst.exe	89
PID 2916 wrote to memory of 3480	2916	svchcst.exe	89
PID 3988 wrote to memory of 4480	3988	WScript.exe	91
PID 3988 wrote to memory of 4480	3988	WScript.exe	91
PID 3988 wrote to memory of 4480	3988	WScript.exe	91
PID 3480 wrote to memory of 4068	3480	WScript.exe	92
PID 3480 wrote to memory of 4068	3480	WScript.exe	92
PID 3480 wrote to memory of 4068	3480	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
"C:\Users\Admin\AppData\Local\Temp\a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4068
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
52cc99099ac5454b4fe95afa20e64573

SHA1
42c55f8a53cd7d9c265c0a03b5fa9a6b8c4a5c21

SHA256
2c7fd5dcb07fff23c06d56e67d0be7d8418ff1bf39e87593785cec89c34d1dc8

SHA512
c424a305f4138f1cb76f7b596648247f3cd2c668000893da1514df8cfcf956daeb29511bb7a23dbbe1265bb5a3325697373e338171a54a54c4b6b30b58e9bb2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1975197f6b24e3e6a4e0061b2cc9c634

SHA1
f92de1ceca4dafb51f266b3d392ebb4d0c9fb708

SHA256
583408748650d17fabb38881dc925ee577be3302d9e3ab68a56be4d169941b4f

SHA512
02ee78f944d522b850f31ad4115ff733428eed7ecd7745d8f23e8a53ef2a7a36682a7ea65755a586a1b5b9e10885c62f9f0a422d743027bb8a2ae794052ea403

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d8ebc0fe707d8fa286bd3415de60aa61

SHA1
f6c69030de2b220c9049a45c6c4436f33b6f6e63

SHA256
2b43fcb6a447f288db40c6d0e75a0b719397afcfe918f7f93f05f04b30dce09b

SHA512
d407e3519c36bae5c4a4a2a636bc6850ffe5869bd97033e2485b48273c788ce85cc771f24080fd1bf04d12e1b8f46f5148b27d5ac7f4770c0181c77619e684a9

Download Submit
memory/4316-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download