Overview

overview

7

Static

static

3

5476cde2a2...99.exe

windows7-x64

7

5476cde2a2...99.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 06:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe

  • Size

    1.1MB

  • MD5

    630577f754f2073f28f9726150b9ceb1

  • SHA1

    7541151c5fd292ffd3aec5b5007effcdbe410760

  • SHA256

    5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99

  • SHA512

    b1240076e608218c575f249397d979dcdcd97b51213651e774cfd29661f4e20238eb8c9ff430438d2e4aea6b0f985e49b421a2d3a5118d6626a57705f481a357

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qu:CcaClSFlG4ZM7QzMV

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe
    "C:\Users\Admin\AppData\Local\Temp\5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2224
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4688
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3168
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:316
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    753B

    MD5

    159d908ab820d9cda0e36edcd89ba0f8

    SHA1

    a52d5eacf81cd763e8ffd6bdbc7082f70b04a29c

    SHA256

    2dbb00a0f64bbae076d5862303aff6ae62ee8a2aa884384b0ab3b25bb6231bb2

    SHA512

    db4abe66d5ac20314d3dcca9d500e61bc97e06c0e6b7a1694e44fca2b7dcc57445c8774382a82e6ed03ee09d9b05b284bd150fe80c16d6f76e65905f4faa83a6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    1c4a20bad462e2ead31b207cd4b0dd1b

    SHA1

    e6037559a47f711d0e930c907b6c33269cb8ecb9

    SHA256

    7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

    SHA512

    78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    1106df09ec5fdde059876fabb3b189f8

    SHA1

    ff325b628bb07f43bc277ad1b343ca9b797324f1

    SHA256

    646d2e16d16c0dc4f95a42ab11dd666e4ecb28752154e1586316faa059fa0829

    SHA512

    0503a6256c3b327ee4f56644baa5d4237e00877e3502e044d3d698626d32e05f0ec2a71187ce371cf7d68f888e8ceb43a0212b8cce3e74d8f5607c21e574db86

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    9690db58b84fc91e5ffd4b78deb12d41

    SHA1

    b58cf32d19d092c001dbfa835165c078cb018bd5

    SHA256

    5def20bf4ba6844889451d40cea20f53693940d89b453820ebd2ce71b3c592fb

    SHA512

    617c867f3aaa67615a9c21fac0a20570b68e5fd7501afff4d74fff8788dcfaad0fcc1c28bcd4d9cb4185fff636097e799f6489e29126a4f31bdf395e44621482

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    7316a3d0d7988090b50a899ce0144864

    SHA1

    a3c02f4579d8a6d164646db79a639135fd902e20

    SHA256

    b335191126b9ecaac080f436fb8570990c3cb920575167346fe3199a674cf499

    SHA512

    42564600bea41784422553a7bc6549af05b47deddae44bf85f44e366477b49a450a8d86157ac6555ff26e0f9a66bfdec22074bee0dd1bf6b6f8937bca5dd7886

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    cb9a38e481f7c7a446bd001254edff15

    SHA1

    aa057e627831c136a66d950dad526080e6ad7204

    SHA256

    e02be7880e6dd73253c7ed5a16cec8ebe9e9f16898de929f842b962406470cf5

    SHA512

    c65c0dd1bdae6f335e61e3e066a6faa7c75cfeb5205dc3465471899c47f927b5641725ff07b0ee0dbf7f953737a0aa16dc733b609c342bed4750add5ae9f8aff

    Download Submit

  • memory/1312-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB

    Download