8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95

General

Target

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
Size

1.1MB
MD5

b40e49cf9a6ede7662eb6f35c72a8c2b
SHA1

b84433a77180667379099f11bd317fc778c471c0
SHA256

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95
SHA512

14c3afdbe4e5219a5678b296c33adc570235f41478b4a675eb21784e6472337695ab9e79d06a85af73c35f059b3251c5e31916fb3075b4cd037f4db5877b2487
SSDEEP

24576:aH0dl8myX9BgT2QoXFkrzkmmlSgRZbo0lG4Z8r7Qfbkiu5QH:a1aClSQlG4ZM7QzMU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exeWScript.exe8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2980 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

2980 svchcst.exe
3416 svchcst.exe
3488 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2980	svchcst.exe

pid	process
2980	svchcst.exe
3416	svchcst.exe
3488	svchcst.exe

Modifies registry class 5 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exesvchcst.exe

pid	process
5076	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
5076	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe

pid process

5076 8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
5076	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
5076	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
2980	svchcst.exe
2980	svchcst.exe
3416	svchcst.exe
3416	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 5076 wrote to memory of 4308	5076	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe	WScript.exe
PID 5076 wrote to memory of 4308	5076	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe	WScript.exe
PID 5076 wrote to memory of 4308	5076	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe	WScript.exe
PID 4308 wrote to memory of 2980	4308	WScript.exe	svchcst.exe
PID 4308 wrote to memory of 2980	4308	WScript.exe	svchcst.exe
PID 4308 wrote to memory of 2980	4308	WScript.exe	svchcst.exe
PID 2980 wrote to memory of 1032	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 1032	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 1032	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 3632	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 3632	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 3632	2980	svchcst.exe	WScript.exe
PID 1032 wrote to memory of 3416	1032	WScript.exe	svchcst.exe
PID 1032 wrote to memory of 3416	1032	WScript.exe	svchcst.exe
PID 1032 wrote to memory of 3416	1032	WScript.exe	svchcst.exe
PID 3632 wrote to memory of 3488	3632	WScript.exe	svchcst.exe
PID 3632 wrote to memory of 3488	3632	WScript.exe	svchcst.exe
PID 3632 wrote to memory of 3488	3632	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
"C:\Users\Admin\AppData\Local\Temp\8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
d6092ee38eead13bd2dab5a481566510

SHA1
9122d68a7e12df7402c1c96e69738f5d4c543ed4

SHA256
cf9f60e084f572c99335d08473e4a6a9bc7ff4abdc3925f2ea8ab1ee9e843b8f

SHA512
dca513de2229bd4e0bc739e08e204de004060e45d6e3915694e84c977b12fc560bfce448d15549d4261c30700a93473f90646511185312c9f36b0bbadaf1ac5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
e003195f6c714c6dec942975c6cdd471

SHA1
a7b0195ab5e40852b9a74f51d5ed067dd12bf2db

SHA256
8e595393f48c75dbc82a03b4b2aea00f81f246554ccce06f976fbdce041beed4

SHA512
d36781a53bf4df7683a88b70b760c7cc23bcd7911a2197813199b1a845b55e2b2de74c05b7280fcfba4823a928a9906d6f2e3587fb4c42cb9a24b02b1b694ad0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
3c14240a2728eba7640cdae95c06382f

SHA1
92a686e5299708e6e6c03b400734713fcb1a5a3c

SHA256
75f2cb5a9717fe31cf348a4f3799786f30fddd1cd675056aeb1667c6de093b66

SHA512
de54393073bc305198c83d1f65858fab18a474d0d9296ec46b323684532e76377801d036d92d86d5ae08f930549da7461a4af4ca14f83b6874b5577f9f14fe85

Download Submit
memory/2980-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2980-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3416-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3416-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3488-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3488-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5076-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5076-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads