42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
Size

1.1MB
MD5

0f4268c4d39ce5d7ef01ac965b2b765d
SHA1

bcbe8942b62b9d62d6f824f3b596375a193f5964
SHA256

42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132
SHA512

1c1c8da46dd688f6970579c9e58e84b4c838d01c56e9ff6da3dcee36b67a4441bb40bd3466c65d255253a69c9106b04d0d49095f0076aaec3d0ada83ff019bff
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qi:acallSllG4ZM7QzMx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2660	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2660	svchcst.exe
3552	svchcst.exe
3440	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
2660	svchcst.exe
2660	svchcst.exe
3552	svchcst.exe
3440	svchcst.exe
3440	svchcst.exe
3552	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2168	2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe	83
PID 2780 wrote to memory of 2168	2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe	83
PID 2780 wrote to memory of 2168	2780	42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe	83
PID 2168 wrote to memory of 2660	2168	WScript.exe	95
PID 2168 wrote to memory of 2660	2168	WScript.exe	95
PID 2168 wrote to memory of 2660	2168	WScript.exe	95
PID 2660 wrote to memory of 3988	2660	svchcst.exe	96
PID 2660 wrote to memory of 3988	2660	svchcst.exe	96
PID 2660 wrote to memory of 3988	2660	svchcst.exe	96
PID 2660 wrote to memory of 5016	2660	svchcst.exe	97
PID 2660 wrote to memory of 5016	2660	svchcst.exe	97
PID 2660 wrote to memory of 5016	2660	svchcst.exe	97
PID 3988 wrote to memory of 3552	3988	WScript.exe	99
PID 3988 wrote to memory of 3552	3988	WScript.exe	99
PID 3988 wrote to memory of 3552	3988	WScript.exe	99
PID 5016 wrote to memory of 3440	5016	WScript.exe	100
PID 5016 wrote to memory of 3440	5016	WScript.exe	100
PID 5016 wrote to memory of 3440	5016	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe
"C:\Users\Admin\AppData\Local\Temp\42ea7f19aae5a3df04a7e8a33e222440d2d8faa1531aa40737ca0df849e0a132.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3552
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
365a81d83a5aa57e876999ac0da67868

SHA1
c9657838277fbccb33145b9eaacd02abe98334f7

SHA256
42cbd101f1837ef6f1ce1f86c7b8ca07b02eafe0a808759befd2833f9f79d29a

SHA512
8eff2998e69c8b666a2cae24594013741ad7f2532cf519bfefe209d65fb37801fcfdbf0b82e60c8eedaff55e3e2f35a37fd08dcd824308e41584e58811a06645

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d6f42af2f88c4832d159771831b67e5b

SHA1
30d98a843276448a65a620b6a845a2aa2a460822

SHA256
a3288455451bef96095cdcfa36c013d05d9b3f47c68bb8f9768abe49a49b8d3e

SHA512
ff32c2fd2b401fdf5cb78ddcc4fcdc1f9021d6a2d56ba81a09ff7945445497dd191c2318aef145a06fabb455e38feadaa96261326a462d97ed4e1a643989b4fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eaa1b7421d32f1e185e68c26bece61c1

SHA1
b607c482125854538aa2d54f702a3ab00fbb9b53

SHA256
68907613ecc2b8171f1a1c31c48106765f3d276720c6537167dc0c34d3eefe5b

SHA512
827f129b2b0a60c538544f9c1c194b326a22d9fe8c3993a9ec91ae2380f505a4c658817d8775a72289f7e3eea010245f9f25316c916b9eb9d821b7e69e6b00ba

Download Submit
memory/2660-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3440-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3440-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3552-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3552-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download