077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831

General

Target

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
Size

1.1MB
MD5

7cf70253aec73cf13823cb19583591da
SHA1

3aa20d7b470ef407b1476613cc8ce4379a70b638
SHA256

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831
SHA512

a243b73c1debedfd1e2ce2669c7c9b1935e75e031fbacf31e2e9855149f615c5bddd2a3080bac86a71bfa5145ba6ac639ec217f3ef543b50114bab59e4da8de5
SSDEEP

24576:aH0dl8myX9BgT2QoXFkrzkmmlSgRZbo0lG4Z8r7Qfbkiu5Qz:a1aClSQlG4ZM7QzMQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exesvchcst.exeWScript.exeWScript.exe077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1252 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

1252 svchcst.exe
900 svchcst.exe
2060 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1252	svchcst.exe

pid	process
1252	svchcst.exe
900	svchcst.exe
2060	svchcst.exe

Modifies registry class 5 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exesvchcst.exe

pid	process
1624	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
1624	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe

pid process

1624 077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1624	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
1624	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
1252	svchcst.exe
1252	svchcst.exe
900	svchcst.exe
2060	svchcst.exe
900	svchcst.exe
2060	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1624 wrote to memory of 3184	1624	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe	WScript.exe
PID 1624 wrote to memory of 3184	1624	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe	WScript.exe
PID 1624 wrote to memory of 3184	1624	077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe	WScript.exe
PID 3184 wrote to memory of 1252	3184	WScript.exe	svchcst.exe
PID 3184 wrote to memory of 1252	3184	WScript.exe	svchcst.exe
PID 3184 wrote to memory of 1252	3184	WScript.exe	svchcst.exe
PID 1252 wrote to memory of 2416	1252	svchcst.exe	WScript.exe
PID 1252 wrote to memory of 2416	1252	svchcst.exe	WScript.exe
PID 1252 wrote to memory of 2416	1252	svchcst.exe	WScript.exe
PID 1252 wrote to memory of 2840	1252	svchcst.exe	WScript.exe
PID 1252 wrote to memory of 2840	1252	svchcst.exe	WScript.exe
PID 1252 wrote to memory of 2840	1252	svchcst.exe	WScript.exe
PID 2840 wrote to memory of 900	2840	WScript.exe	svchcst.exe
PID 2840 wrote to memory of 900	2840	WScript.exe	svchcst.exe
PID 2840 wrote to memory of 900	2840	WScript.exe	svchcst.exe
PID 2416 wrote to memory of 2060	2416	WScript.exe	svchcst.exe
PID 2416 wrote to memory of 2060	2416	WScript.exe	svchcst.exe
PID 2416 wrote to memory of 2060	2416	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe
"C:\Users\Admin\AppData\Local\Temp\077e0379472a9e4241c16a65357fdb276e0d0851d528c18d407edff2a200f831.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
bd50ee04d7d92b9eb6f8170f177b8bca

SHA1
4cb36854eea412e9284bb14fe06893d6e8e7d6aa

SHA256
346b67e038abbb9dd741b5e3654d36cdb1a3e4f037bda2b55a399daa6b5a984f

SHA512
3f3d4f7e439c49261214e495d0a8c7f71fe4e8bc1ada0f080e65dc19444088a4b8a560e2cecb0d3a7fab84c0f18fdd2440c8ac764120a564d22259431b38290c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
e0b030fd7df73f0d11bd085a3f94194e

SHA1
41fd746e340b731b868e9980fd56312bccd90fde

SHA256
afc26af63471d6b856b09e206cf6e2607ef1ec1ef2d7edefecfa9ea726a76713

SHA512
3e21148469915eb96654cea95888a7052f653ff7f03dc7e6808bbcd2104fadbe0257f5699b5ce72b6ee705cbd3b58d8fce012a7ed14200210ec88905dbae73c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
b83cb917248c78e8ed74f2ce20cdab5f

SHA1
27016a98db9b51caf53fc1c57416a8d7ad06d102

SHA256
2508a56fe316fbecf3f073e636ab2c43f9f00dad692123c78e41a82f61116b58

SHA512
e0154e2a42413e73f974607b0cfb7963b577144f7a2e3fc8d85670b040d9ff651a1dd30f4034e555718ef0b202572a3d1710886944b381a7b042b64ec11e6b9c

Download Submit
memory/900-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/900-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1252-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1252-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads