b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 22:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
Size

1.1MB
MD5

e12463668be7ad9bac3786f6567bf18c
SHA1

a84fe1ad8c59814eb83405bddddee879dbf34c8c
SHA256

b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05
SHA512

265f6dd8be4f777857bf3a9e3935e09436df5a247c6d17248cf75c6c3cce149afadb1ace3cfceb36113ea64a2a4093b3948e9493b18bcb2974511bdf4cd7f77d
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QN:CcaClSFlG4ZM7QzMW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4836	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4836	svchcst.exe
5080	svchcst.exe
1408	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe
4836	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
4836	svchcst.exe
4836	svchcst.exe
5080	svchcst.exe
5080	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3660	4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe	83
PID 4500 wrote to memory of 3660	4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe	83
PID 4500 wrote to memory of 3660	4500	b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe	83
PID 3660 wrote to memory of 4836	3660	WScript.exe	89
PID 3660 wrote to memory of 4836	3660	WScript.exe	89
PID 3660 wrote to memory of 4836	3660	WScript.exe	89
PID 4836 wrote to memory of 3528	4836	svchcst.exe	90
PID 4836 wrote to memory of 3528	4836	svchcst.exe	90
PID 4836 wrote to memory of 3528	4836	svchcst.exe	90
PID 4836 wrote to memory of 3812	4836	svchcst.exe	91
PID 4836 wrote to memory of 3812	4836	svchcst.exe	91
PID 4836 wrote to memory of 3812	4836	svchcst.exe	91
PID 3812 wrote to memory of 1408	3812	WScript.exe	93
PID 3812 wrote to memory of 1408	3812	WScript.exe	93
PID 3812 wrote to memory of 1408	3812	WScript.exe	93
PID 3528 wrote to memory of 5080	3528	WScript.exe	92
PID 3528 wrote to memory of 5080	3528	WScript.exe	92
PID 3528 wrote to memory of 5080	3528	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe
"C:\Users\Admin\AppData\Local\Temp\b7beffc736a01a1fd8aaec5f488e56fc00706c560533641dacc34fffaff67c05.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5080
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3812
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a03cad9258273cecb11dba37c63fc761

SHA1
24cfd5673e555d315a736481be91fff23d9389f3

SHA256
4a9cb7f16c01ff74f29dd29ff8c038c80adb34cdb613fa36f7ff3be34bb42173

SHA512
f49d0873f116a678924eba7c69c8ca7f6f2394532038cca401357c96388d37991c40d1280959f34341c2da5d5c5479102ed4cdb28f6cd2e15378bdf3dd268c25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
556e8062309748596633d7d4087a6443

SHA1
8d7de1f8efb4ad14022dd742ea03c3628ac4f8c9

SHA256
544424588d8f24be5a09244bb6451517edc89f41fdcfde0884b21d404a9034a7

SHA512
e39afda5ca98cfcaabb04e3393ec680e6cf100c3b77b9e7337afc56b82464eb104e85ea515cd588b3fab086eda3d31d717d3a5b339b199a7a2b85fc0ea7bfe02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b35b8913a65b5e9d1354e501d0046cbc

SHA1
955b2c5f4b9774a2fa13af7402768f146f153d7a

SHA256
8be8ba6233a15d6b0ee74556e9f95c6a644306ed6472a1f7176b54f45aacddd4

SHA512
8da896868b36511e49c3f5a18ba32be7bc73e89a3c32a18b99031bd7146eb96e951e23314b3ba202143b5a3fca498a45bb5bfe7bec636858506ba5a814d04fd4

Download Submit
memory/4500-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download