bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe
Size

1.1MB
MD5

e3cd1a3508f18f7070bf2afa654901b3
SHA1

780d68c2da2df99f2fc8365981f1c7ca96486cf6
SHA256

bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d
SHA512

b3c815488005a5fe20b57368d5031e6a1aea9c34e459acac57809ddb33f29b6256a5651e4377dab46ef6ea3ca2848dc570a834250c3878e74b16b837050415eb
SSDEEP

24576:aH0pl8myX9BgT2QooFkrzkmmlSgRZko0lG4Z8r7Qfbkiu5Qb:a6aClSXlG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2456	svchcst.exe

Executes dropped EXE 8 IoCs

pid	Process
2456	svchcst.exe
2820	svchcst.exe
1860	svchcst.exe
1444	svchcst.exe
336	svchcst.exe
752	svchcst.exe
2036	svchcst.exe
1804	svchcst.exe

Loads dropped DLL 11 IoCs

pid	Process
2364	WScript.exe
2364	WScript.exe
2508	WScript.exe
2220	WScript.exe
2220	WScript.exe
2064	WScript.exe
1852	WScript.exe
1852	WScript.exe
612	WScript.exe
612	WScript.exe
1852	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe
2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe
2456	svchcst.exe
2456	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
336	svchcst.exe
336	svchcst.exe
752	svchcst.exe
752	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2364	2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe	28
PID 2184 wrote to memory of 2364	2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe	28
PID 2184 wrote to memory of 2364	2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe	28
PID 2184 wrote to memory of 2364	2184	bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe	28
PID 2364 wrote to memory of 2456	2364	WScript.exe	30
PID 2364 wrote to memory of 2456	2364	WScript.exe	30
PID 2364 wrote to memory of 2456	2364	WScript.exe	30
PID 2364 wrote to memory of 2456	2364	WScript.exe	30
PID 2456 wrote to memory of 2508	2456	svchcst.exe	31
PID 2456 wrote to memory of 2508	2456	svchcst.exe	31
PID 2456 wrote to memory of 2508	2456	svchcst.exe	31
PID 2456 wrote to memory of 2508	2456	svchcst.exe	31
PID 2508 wrote to memory of 2820	2508	WScript.exe	32
PID 2508 wrote to memory of 2820	2508	WScript.exe	32
PID 2508 wrote to memory of 2820	2508	WScript.exe	32
PID 2508 wrote to memory of 2820	2508	WScript.exe	32
PID 2820 wrote to memory of 2220	2820	svchcst.exe	33
PID 2820 wrote to memory of 2220	2820	svchcst.exe	33
PID 2820 wrote to memory of 2220	2820	svchcst.exe	33
PID 2820 wrote to memory of 2220	2820	svchcst.exe	33
PID 2220 wrote to memory of 1860	2220	WScript.exe	34
PID 2220 wrote to memory of 1860	2220	WScript.exe	34
PID 2220 wrote to memory of 1860	2220	WScript.exe	34
PID 2220 wrote to memory of 1860	2220	WScript.exe	34
PID 1860 wrote to memory of 2744	1860	svchcst.exe	35
PID 1860 wrote to memory of 2744	1860	svchcst.exe	35
PID 1860 wrote to memory of 2744	1860	svchcst.exe	35
PID 1860 wrote to memory of 2744	1860	svchcst.exe	35
PID 2220 wrote to memory of 1444	2220	WScript.exe	36
PID 2220 wrote to memory of 1444	2220	WScript.exe	36
PID 2220 wrote to memory of 1444	2220	WScript.exe	36
PID 2220 wrote to memory of 1444	2220	WScript.exe	36
PID 1444 wrote to memory of 2064	1444	svchcst.exe	37
PID 1444 wrote to memory of 2064	1444	svchcst.exe	37
PID 1444 wrote to memory of 2064	1444	svchcst.exe	37
PID 1444 wrote to memory of 2064	1444	svchcst.exe	37
PID 2064 wrote to memory of 336	2064	WScript.exe	38
PID 2064 wrote to memory of 336	2064	WScript.exe	38
PID 2064 wrote to memory of 336	2064	WScript.exe	38
PID 2064 wrote to memory of 336	2064	WScript.exe	38
PID 336 wrote to memory of 1852	336	svchcst.exe	39
PID 336 wrote to memory of 1852	336	svchcst.exe	39
PID 336 wrote to memory of 1852	336	svchcst.exe	39
PID 336 wrote to memory of 1852	336	svchcst.exe	39
PID 1852 wrote to memory of 752	1852	WScript.exe	40
PID 1852 wrote to memory of 752	1852	WScript.exe	40
PID 1852 wrote to memory of 752	1852	WScript.exe	40
PID 1852 wrote to memory of 752	1852	WScript.exe	40
PID 752 wrote to memory of 612	752	svchcst.exe	41
PID 752 wrote to memory of 612	752	svchcst.exe	41
PID 752 wrote to memory of 612	752	svchcst.exe	41
PID 752 wrote to memory of 612	752	svchcst.exe	41
PID 612 wrote to memory of 2036	612	WScript.exe	42
PID 612 wrote to memory of 2036	612	WScript.exe	42
PID 612 wrote to memory of 2036	612	WScript.exe	42
PID 612 wrote to memory of 2036	612	WScript.exe	42
PID 1852 wrote to memory of 1804	1852	WScript.exe	43
PID 1852 wrote to memory of 1804	1852	WScript.exe	43
PID 1852 wrote to memory of 1804	1852	WScript.exe	43
PID 1852 wrote to memory of 1804	1852	WScript.exe	43

C:\Users\Admin\AppData\Local\Temp\bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe
"C:\Users\Admin\AppData\Local\Temp\bec0173b62f9452daadd5bffad779d1edcd5b70ef1e4dc8e2934a8dea8646c3d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
79da1e31c379162b476527ff81befc1d

SHA1
7704ccf0eb91acd51932ba7a95a1889a364fff52

SHA256
c1a917cf69372f5990fba0cbbf8096b94230a9c46b46e615c9297a56572c3b1c

SHA512
96b701f1092c624b11d6d3f54f6b35522b8e2a82dbcb5f7515ed7b506cd425c86d61e0ea1b15760e8ad0ef5cb62f9ccf4b4eb9155f0c6a41b324b9c6ebf9d6c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
20aa062b16fc3cd12e197391f9d72173

SHA1
4b07b016b0a6faf13d6081c1f1aa3f3debfe9766

SHA256
79e0471a6c11118637f88f5d7d92985531146af534015ff1b95d64224e1e4f96

SHA512
b3e4a145eac1bfd31d400f4ae195e1d1bd782f5f7b91d268c1c61de9bd8613a47179b22ac94b4b9d0c11dad330460ad07618f1fa8357c6a97a89b2c285db55c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b16f20a01b2353936f989b4c936eba42

SHA1
9b8495c3babc48d545078efd1deac258cf3d05ad

SHA256
91a992103dede726f439ffaf4705435b0281e1938a4739f9a7269ec38fa8cd5d

SHA512
6cf14668fead6a1761fbdfe26119d5b2e91bf09e851f272d4ffbb2794afbd5e0b1507f4d0f2542e0702c81d573c40f926d65699c8415cd7777c1771c52d5a029

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dfc764cc357560239952279a4762274b

SHA1
379aad7ecfe5c596632bb6e1ca62e3fd13bb4086

SHA256
fc7a618bf1ab3ed5379543b0cfd359533e0e276d20c1fe4a6bcdc7e5e0fa60b0

SHA512
ac70808ee5732745b0547890cda08f2e388dae8b9cc2cc8d95bc0f2ff3d88d297004453b7d1c78e8489f04d807463cfebc4d107f359f06118fe240627ff1dd5a

Download Submit
memory/336-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/336-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/752-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/752-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1852-76-0x0000000004570000-0x00000000046CF000-memory.dmp

Filesize
1.4MB

Download
memory/1852-96-0x00000000046C0000-0x000000000481F000-memory.dmp

Filesize
1.4MB

Download
memory/1852-77-0x0000000004570000-0x00000000046CF000-memory.dmp

Filesize
1.4MB

Download
memory/1860-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-61-0x0000000003F30000-0x000000000408F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-92-0x0000000005A40000-0x0000000005B9F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-70-0x0000000005BE0000-0x0000000005D3F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download