727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89

Analysis

max time kernel
55s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
Size

1.1MB
MD5

ceddae2d3b15ed8dd6ba9c89c0e19678
SHA1

e2176012fb1dbff73e660f7c9ae8868a0a0036e9
SHA256

727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89
SHA512

7e4eb5cf23ece12e9b8326fb15e71601f6f3cbfe49464a26b0f9d14cec29fef77270b951d52833e4616ab679f3850b30ff93e7125068d2ebf385b55e6c59986a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzMK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3104	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
3104	svchcst.exe
4760	svchcst.exe
2800	svchcst.exe
1056	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe
3104	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
3104	svchcst.exe
3104	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
1056	svchcst.exe
1056	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4780	3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe	84
PID 3124 wrote to memory of 4780	3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe	84
PID 3124 wrote to memory of 4780	3124	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe	84
PID 4780 wrote to memory of 3104	4780	WScript.exe	89
PID 4780 wrote to memory of 3104	4780	WScript.exe	89
PID 4780 wrote to memory of 3104	4780	WScript.exe	89
PID 3104 wrote to memory of 1236	3104	svchcst.exe	90
PID 3104 wrote to memory of 1236	3104	svchcst.exe	90
PID 3104 wrote to memory of 1236	3104	svchcst.exe	90
PID 3104 wrote to memory of 220	3104	svchcst.exe	91
PID 3104 wrote to memory of 220	3104	svchcst.exe	91
PID 3104 wrote to memory of 220	3104	svchcst.exe	91
PID 220 wrote to memory of 4760	220	WScript.exe	92
PID 220 wrote to memory of 4760	220	WScript.exe	92
PID 220 wrote to memory of 4760	220	WScript.exe	92
PID 4760 wrote to memory of 1544	4760	svchcst.exe	93
PID 4760 wrote to memory of 1544	4760	svchcst.exe	93
PID 4760 wrote to memory of 1544	4760	svchcst.exe	93
PID 4760 wrote to memory of 4944	4760	svchcst.exe	94
PID 4760 wrote to memory of 4944	4760	svchcst.exe	94
PID 4760 wrote to memory of 4944	4760	svchcst.exe	94
PID 4944 wrote to memory of 2800	4944	WScript.exe	95
PID 4944 wrote to memory of 2800	4944	WScript.exe	95
PID 4944 wrote to memory of 2800	4944	WScript.exe	95
PID 1544 wrote to memory of 1056	1544	WScript.exe	96
PID 1544 wrote to memory of 1056	1544	WScript.exe	96
PID 1544 wrote to memory of 1056	1544	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
"C:\Users\Admin\AppData\Local\Temp\727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fa7eaeb7423a8f92dc1bca6abf9eb546

SHA1
d1ce9625d51be34d36e71292c0547003fd72742a

SHA256
4bc100bac5a7b96f1c9891c61a1b0b7a0b1c7d44e4743314d74b9cac4e13e616

SHA512
0493a1a349c4d33c6aba3d47bc4a15e8d2ee7ee7186adefdf571b87846f436458517e0e90c9ce2ac2c59e2313c2b2a479548cb651418ba4c0f3a70071774e3ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2343eae8f6d2b051ea21087bff96072

SHA1
33be0f02283bf050797bbf14d4b82f0780735daa

SHA256
9363993ce7008f24b007151350d2175bb89d8d0b0b3f456f9b64cee378174740

SHA512
4c92e94a0926f16555b5dab935261fc2b9d11245eaffa101e9f8c36c7a72d6b77ddd8723816bfe73905f0a809e301b2632aed536d818e08bbd62eec3505e5074

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
88ecb0fabd8f1d8bc20d538875e8b13b

SHA1
1a3b31f6f6973623e3d2fe39f2aca92b8552af50

SHA256
6a4b286c59b7259ff6107a8d3affdde60a75e23ec9eff5c12c96e166531a472e

SHA512
cdb2a3dd200523d96346f86d958e9fdf03b33742751bca5d489beafaa5e79e4468e7426f6e2a307ac4ea6d317c1e7ab2f12fd226fe256d8fd26a8f20ad5756b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87c44a0d6ab9e8c991d32d5c60d76b62

SHA1
6b904aee68785bb0ed02a1bddabefe1dd2a93a61

SHA256
111e1b53b1c5debfd0270a68fe349b3bd45ce8e00c9c30abd66303128f519a43

SHA512
0afca7e7176f58f6b94dadb2fffcc9e18508e30345d62dbce21243722670dd9893dca5b1b7d28812a2b25816948a7a554c4df56f244f4ef04d695be9a7d7e720

Download Submit
memory/3124-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download