e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
Size

1.1MB
MD5

4ec1e232ae04577a5cb90ce6ef4d5f43
SHA1

5f22e0107b5798edc0f28d05b6f9099e726c2214
SHA256

e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8
SHA512

2f3d750b55f80abfc602514fe529945b1b1d5e901955dcbbfeab8a51e9893915032a1cce8c632cf85831862ab670c07c26847b7aa0bd98fa95b361b6059fd114
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q0:acallSllG4ZM7QzMT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
664	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
664	svchcst.exe
4040	svchcst.exe
2268	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe
664	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
664	svchcst.exe
664	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3172	4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe	85
PID 4768 wrote to memory of 3172	4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe	85
PID 4768 wrote to memory of 3172	4768	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe	85
PID 3172 wrote to memory of 664	3172	WScript.exe	89
PID 3172 wrote to memory of 664	3172	WScript.exe	89
PID 3172 wrote to memory of 664	3172	WScript.exe	89
PID 664 wrote to memory of 3792	664	svchcst.exe	90
PID 664 wrote to memory of 3792	664	svchcst.exe	90
PID 664 wrote to memory of 3792	664	svchcst.exe	90
PID 664 wrote to memory of 4900	664	svchcst.exe	91
PID 664 wrote to memory of 4900	664	svchcst.exe	91
PID 664 wrote to memory of 4900	664	svchcst.exe	91
PID 4900 wrote to memory of 4040	4900	WScript.exe	92
PID 4900 wrote to memory of 4040	4900	WScript.exe	92
PID 4900 wrote to memory of 4040	4900	WScript.exe	92
PID 3792 wrote to memory of 2268	3792	WScript.exe	93
PID 3792 wrote to memory of 2268	3792	WScript.exe	93
PID 3792 wrote to memory of 2268	3792	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
"C:\Users\Admin\AppData\Local\Temp\e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5d63ac717b23533ce3ed3de1f59c6b12

SHA1
a36d1eb026b7d2c4fd3e59577f001a5c01a4e018

SHA256
15fd9bacc7847b7f1bff538fa50b8e511eff9ef022e1bceae5542a3cabb26130

SHA512
57991e4282abb3f4192aeaa6811054b834b3d3a974fee6d2b718511ab95e7f3f8a5d476b80a5d44e346ab336dd476eb2542f69a2063cbd52ca3e9a025920cf17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c705f00d58c0867bb1ff04f7ced75507

SHA1
3e633a4de017bbd60a273f375d975e1bc3f3696f

SHA256
3b7e911dde342f034f396bb6cb7d6b756920af35bd42efc498a4ec129f7533ef

SHA512
d590a020d6744dd204f88d15949d33d594031563bfdf2a76309d85f6ade03f11809b5e4db1b6d7f6632f06495afa35143cfa59de59d538396a9892b3d3570457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
35c59bfb852bc88f03f5e530c3672f75

SHA1
8d9f8b8a210572b271193ffde225783f101c957c

SHA256
1c2fc8de8e6c27b745e43d4e0be3cb861f9715344ec7442510034af676f023f1

SHA512
14ebd1cc2bdca1c3cb7d7387bca80b61abedbde7e946abb8b5ddd88e07da79615a76d295f02bd52d16c9944024b00cd28022fbf4c332c5bc3925f84f50bc199d

Download Submit
memory/664-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/664-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4040-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4768-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4768-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download