1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 02:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
Size

1.1MB
MD5

e20ab1f9552018f11aaa4db124bf1081
SHA1

0e0622f9df03325782b4f10e6f9cb3aecc063361
SHA256

1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2
SHA512

f95719153c11327149cda6a80665beadf9ba1d1011fabef42c722659844e3974b29310ee893a7e6f5756aded446f4247eef67f82f65735b48d8ab2271b9a692e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
2660	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2660	svchcst.exe
1416	svchcst.exe
2996	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
2660	svchcst.exe
2660	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3580	4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe	82
PID 4740 wrote to memory of 3580	4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe	82
PID 4740 wrote to memory of 3580	4740	1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe	82
PID 3580 wrote to memory of 2660	3580	WScript.exe	91
PID 3580 wrote to memory of 2660	3580	WScript.exe	91
PID 3580 wrote to memory of 2660	3580	WScript.exe	91
PID 2660 wrote to memory of 2488	2660	svchcst.exe	92
PID 2660 wrote to memory of 2488	2660	svchcst.exe	92
PID 2660 wrote to memory of 2488	2660	svchcst.exe	92
PID 2660 wrote to memory of 5304	2660	svchcst.exe	93
PID 2660 wrote to memory of 5304	2660	svchcst.exe	93
PID 2660 wrote to memory of 5304	2660	svchcst.exe	93
PID 2488 wrote to memory of 2996	2488	WScript.exe	96
PID 2488 wrote to memory of 2996	2488	WScript.exe	96
PID 2488 wrote to memory of 2996	2488	WScript.exe	96
PID 5304 wrote to memory of 1416	5304	WScript.exe	97
PID 5304 wrote to memory of 1416	5304	WScript.exe	97
PID 5304 wrote to memory of 1416	5304	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe
"C:\Users\Admin\AppData\Local\Temp\1222564a0ecb6ae126c857f973fd6fde8deaed77a9e10532e58c2aa1a64c66d2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5304
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
23e1a2fa180d8d0812f5b29804f2b385

SHA1
d3c2432075ea32db6c30bae8b535f58e9250af75

SHA256
4852310ad5640f0c98fdb02ccb519723f0fe7db37e6af850dc57dd8e46ccdffc

SHA512
c478baafabfa8f122a8b825a330c6d7cd6661432be85459e7871c6556c635c1f7ab576701a743fec4c1b20da9bdcc41544e5d9b4b0c9857df2134aadc87f37b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c7a49f979b22a19344f329e69360cc03

SHA1
08a6c5728c2cc9a2566ef3d0f36f7ef86e3199dd

SHA256
d617a5eae56fa934d7be0853a4029705a8de927a232769dc36d58d75e2dda084

SHA512
a745c279480cfcb0ebe9ac33ceebef386f335e8517db17d96ff9c330b7d65e911d0805c972c41cee5fdde1119453405d1d53215213b507ca029c0f5eaedd285d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
de8e01cbeda0e04dbc953e706f4116cf

SHA1
7539425c05988ab77776daede55d5e2b73b79bdb

SHA256
4f78e1a35ae7319dc2d1cee3e080e1e1d566544e5440672de99459d3ba530cae

SHA512
eba30c0ff6069e351d6b573bfff955c4019c1a5f7803c2fb4d9d4a3c38a56161536f722d40a2b9ca7f6e63bab442f053ed84d1b7477b262fa268477acb70ad31

Download Submit
memory/1416-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4740-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4740-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download