077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
Size

1.1MB
MD5

7cf70253aec73cf13823cb19583591da
SHA1

3aa20d7b470ef407b1476613cc8ce4379a70b638
SHA256

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831
SHA512

a243b73c1debedfd1e2ce2669c7c9b1935e75e031fbacf31e2e9855149f615c5bddd2a3080bac86a71bfa5145ba6ac639ec217f3ef543b50114bab59e4da8de5
SSDEEP

24576:aH0dl8myX9BgT2QoXFkrzkmmlSgRZbo0lG4Z8r7Qfbkiu5Qz:a1aClSQlG4ZM7QzMQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2724 svchcst.exe

Executes dropped EXE 24 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2724	svchcst.exe
2704	svchcst.exe
1312	svchcst.exe
2204	svchcst.exe
2816	svchcst.exe
2188	svchcst.exe
2248	svchcst.exe
2720	svchcst.exe
2620	svchcst.exe
2016	svchcst.exe
1352	svchcst.exe
2552	svchcst.exe
604	svchcst.exe
2348	svchcst.exe
892	svchcst.exe
1988	svchcst.exe
2968	svchcst.exe
2428	svchcst.exe
2364	svchcst.exe
2820	svchcst.exe
2932	svchcst.exe
1724	svchcst.exe
804	svchcst.exe
2252	svchcst.exe

Loads dropped DLL 42 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
3056	WScript.exe
3056	WScript.exe
2504	WScript.exe
2504	WScript.exe
1776	WScript.exe
1776	WScript.exe
1228	WScript.exe
1624	WScript.exe
1624	WScript.exe
1624	WScript.exe
1576	WScript.exe
1608	WScript.exe
1608	WScript.exe
2576	WScript.exe
1492	WScript.exe
1492	WScript.exe
2796	WScript.exe
2796	WScript.exe
2204	WScript.exe
2204	WScript.exe
1464	WScript.exe
1464	WScript.exe
284	WScript.exe
284	WScript.exe
1428	WScript.exe
1428	WScript.exe
300	WScript.exe
300	WScript.exe
2556	WScript.exe
2556	WScript.exe
904	WScript.exe
904	WScript.exe
2808	WScript.exe
2808	WScript.exe
2644	WScript.exe
2644	WScript.exe
1016	WScript.exe
1016	WScript.exe
2328	WScript.exe
2328	WScript.exe
1712	WScript.exe
1712	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exesvchcst.exesvchcst.exe

pid	process
1860	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe

pid process

1860 077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1860	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
1860	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
2724	svchcst.exe
2724	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
1312	svchcst.exe
1312	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
1352	svchcst.exe
1352	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
604	svchcst.exe
604	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
892	svchcst.exe
892	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
804	svchcst.exe
804	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 1860 wrote to memory of 3056	1860	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe	WScript.exe
PID 1860 wrote to memory of 3056	1860	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe	WScript.exe
PID 1860 wrote to memory of 3056	1860	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe	WScript.exe
PID 1860 wrote to memory of 3056	1860	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe	WScript.exe
PID 3056 wrote to memory of 2724	3056	WScript.exe	svchcst.exe
PID 3056 wrote to memory of 2724	3056	WScript.exe	svchcst.exe
PID 3056 wrote to memory of 2724	3056	WScript.exe	svchcst.exe
PID 3056 wrote to memory of 2724	3056	WScript.exe	svchcst.exe
PID 2724 wrote to memory of 2504	2724	svchcst.exe	WScript.exe
PID 2724 wrote to memory of 2504	2724	svchcst.exe	WScript.exe
PID 2724 wrote to memory of 2504	2724	svchcst.exe	WScript.exe
PID 2724 wrote to memory of 2504	2724	svchcst.exe	WScript.exe
PID 2504 wrote to memory of 2704	2504	WScript.exe	svchcst.exe
PID 2504 wrote to memory of 2704	2504	WScript.exe	svchcst.exe
PID 2504 wrote to memory of 2704	2504	WScript.exe	svchcst.exe
PID 2504 wrote to memory of 2704	2504	WScript.exe	svchcst.exe
PID 2704 wrote to memory of 1776	2704	svchcst.exe	WScript.exe
PID 2704 wrote to memory of 1776	2704	svchcst.exe	WScript.exe
PID 2704 wrote to memory of 1776	2704	svchcst.exe	WScript.exe
PID 2704 wrote to memory of 1776	2704	svchcst.exe	WScript.exe
PID 1776 wrote to memory of 1312	1776	WScript.exe	svchcst.exe
PID 1776 wrote to memory of 1312	1776	WScript.exe	svchcst.exe
PID 1776 wrote to memory of 1312	1776	WScript.exe	svchcst.exe
PID 1776 wrote to memory of 1312	1776	WScript.exe	svchcst.exe
PID 1312 wrote to memory of 1228	1312	svchcst.exe	WScript.exe
PID 1312 wrote to memory of 1228	1312	svchcst.exe	WScript.exe
PID 1312 wrote to memory of 1228	1312	svchcst.exe	WScript.exe
PID 1312 wrote to memory of 1228	1312	svchcst.exe	WScript.exe
PID 1228 wrote to memory of 2204	1228	WScript.exe	svchcst.exe
PID 1228 wrote to memory of 2204	1228	WScript.exe	svchcst.exe
PID 1228 wrote to memory of 2204	1228	WScript.exe	svchcst.exe
PID 1228 wrote to memory of 2204	1228	WScript.exe	svchcst.exe
PID 2204 wrote to memory of 1624	2204	svchcst.exe	WScript.exe
PID 2204 wrote to memory of 1624	2204	svchcst.exe	WScript.exe
PID 2204 wrote to memory of 1624	2204	svchcst.exe	WScript.exe
PID 2204 wrote to memory of 1624	2204	svchcst.exe	WScript.exe
PID 1624 wrote to memory of 2816	1624	WScript.exe	svchcst.exe
PID 1624 wrote to memory of 2816	1624	WScript.exe	svchcst.exe
PID 1624 wrote to memory of 2816	1624	WScript.exe	svchcst.exe
PID 1624 wrote to memory of 2816	1624	WScript.exe	svchcst.exe
PID 2816 wrote to memory of 984	2816	svchcst.exe	WScript.exe
PID 2816 wrote to memory of 984	2816	svchcst.exe	WScript.exe
PID 2816 wrote to memory of 984	2816	svchcst.exe	WScript.exe
PID 2816 wrote to memory of 984	2816	svchcst.exe	WScript.exe
PID 1624 wrote to memory of 2188	1624	WScript.exe	svchcst.exe
PID 1624 wrote to memory of 2188	1624	WScript.exe	svchcst.exe
PID 1624 wrote to memory of 2188	1624	WScript.exe	svchcst.exe
PID 1624 wrote to memory of 2188	1624	WScript.exe	svchcst.exe
PID 2188 wrote to memory of 1576	2188	svchcst.exe	WScript.exe
PID 2188 wrote to memory of 1576	2188	svchcst.exe	WScript.exe
PID 2188 wrote to memory of 1576	2188	svchcst.exe	WScript.exe
PID 2188 wrote to memory of 1576	2188	svchcst.exe	WScript.exe
PID 1576 wrote to memory of 2248	1576	WScript.exe	svchcst.exe
PID 1576 wrote to memory of 2248	1576	WScript.exe	svchcst.exe
PID 1576 wrote to memory of 2248	1576	WScript.exe	svchcst.exe
PID 1576 wrote to memory of 2248	1576	WScript.exe	svchcst.exe
PID 2248 wrote to memory of 1608	2248	svchcst.exe	WScript.exe
PID 2248 wrote to memory of 1608	2248	svchcst.exe	WScript.exe
PID 2248 wrote to memory of 1608	2248	svchcst.exe	WScript.exe
PID 2248 wrote to memory of 1608	2248	svchcst.exe	WScript.exe
PID 1608 wrote to memory of 2720	1608	WScript.exe	svchcst.exe
PID 1608 wrote to memory of 2720	1608	WScript.exe	svchcst.exe
PID 1608 wrote to memory of 2720	1608	WScript.exe	svchcst.exe
PID 1608 wrote to memory of 2720	1608	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
"C:\Users\Admin\AppData\Local\Temp\077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
PID:984

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
PID:2264

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2576

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:1492

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2796

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2204

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1464

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:284

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1428

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:300

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2556

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:904

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2808

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2644

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:1016

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:2328

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:1712

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
PID:2248

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
587d350622177af6a3db3460be60b421

SHA1
6345b2b5784219a6b74ecc9f478b766cec51fd53

SHA256
6be76c9f27f0c68101d760ad4a0e431808595f829978ef41cfcea3f662cd63da

SHA512
03747ed1957f239ad3150723ad4a19d4fba2c3daaab3e49cc65995d6b4cd842be454b6b18aad9abfb75bd55c1c1c833cd945b96edf5a0c522366851a034cbf68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
ecbdd991dfe426f742e2f313b6037e53

SHA1
6d0309fe237e4ef253d367cad3b6b5a6e205e677

SHA256
ff57a28a88e948f6ec2e358ccda88295c79721d25ad74acfd28d49143a826f65

SHA512
e6be0a1315cd45837c818d94e9cc31311399ac9c43000b49d613c43b319bb84cd6cbe4e4097839bac840fd0d47d4ccc67b6c639107ccf8090d67e448f9383c98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
5bbe4d5f22ab8e21d35b5b55b9de7d29

SHA1
c64607848ee8d74b4b65c91ddd464af5bac9c486

SHA256
673243421c734717465d45b947e921f83b6f67579ef06c456538f4790add8a87

SHA512
f8954c94aa3185358ea533e4ae212d7d3803190ff70e75432972ea9c70552e5e0af60b22894382dd498cd530b832f25883194db5fd80a86feef47392cd4cf28d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
23ba7387b8822278fc6ce56d32eed5ac

SHA1
cf52f208beb80b45bf412a95e9b44146af7670da

SHA256
daaaf597f8afcd8909a7186e7f9f5ce02cb1cfaee3a7e597fa5fcde1fd26715d

SHA512
07c84ae86a251fbfc42438a800386ca0938f448c6ccf6528db09613d545e3a1479ae0afa6ddfbf919b8096c442854f683d491beb45dd7b76e50d8a749917b3bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
a8a4d66568c97622ae65558a03aaf1b0

SHA1
448366ee18ee727688bef5c243304a59d3e440c6

SHA256
cc7e06eef7d9728f87d1b7090b4aad0b0c70fb0f00e2b024b8de06bb1a3cbe0e

SHA512
54a553a95adf5ffd2207f5f49d40e690543fd7ecfc0b6c50c69076635ab51bb7e077c4353f2b65c84a27f4cca25d914997d5cdff99169fa0cf24d17abc4ba353

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
5fe5307b0af0accd4d1e97e085910286

SHA1
8fe8346edb0b026461f4e980b5bf9529b4329166

SHA256
3ec89360ebb2c0fe7f86ae6fc5cd5c2acb181b520cbe187aba70d7b8b222ba39

SHA512
1ce9fda403df994e056fad25241d859f472ce352a2bb543419ceca9a3006746aaa315548efd114aaf257e769693a79b16f82240ce75b62b85fc1017550bbaddf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
e7198ddfaf72cb6cd2137552fa6cb5d8

SHA1
8f64aa43f2aa153227d0fd3c9bfbd6a21f535cc2

SHA256
9d3075b8706f28ac3fcd75370a0f355cd39da0eec5b8920332663b241181efb5

SHA512
37cbee7639b6ef04f46e597d302b2cf2031644df5efeed68b2c8b2f768b91bf0304da24ad1651dcc1759ad5b221689c192e1c4982f3b935425cb7eea13055a45

Download Submit
memory/604-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/804-252-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/804-259-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/892-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/892-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1016-244-0x00000000046B0000-0x000000000480F000-memory.dmp

Filesize
1.4MB

Download
memory/1312-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1312-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1428-194-0x00000000045B0000-0x000000000470F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-177-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-145-0x0000000005BD0000-0x0000000005D2F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-146-0x0000000005BD0000-0x0000000005D2F000-memory.dmp

Filesize
1.4MB

Download
memory/1576-97-0x0000000005880000-0x00000000059DF000-memory.dmp

Filesize
1.4MB

Download
memory/1624-88-0x0000000005D70000-0x0000000005ECF000-memory.dmp

Filesize
1.4MB

Download
memory/1624-117-0x0000000005D70000-0x0000000005ECF000-memory.dmp

Filesize
1.4MB

Download
memory/1724-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-45-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-32-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-31-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-211-0x0000000004800000-0x000000000495F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-161-0x0000000004760000-0x00000000048BF000-memory.dmp

Filesize
1.4MB

Download
memory/2816-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-15-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/3056-12-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads