3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
Size

1.1MB
MD5

5c217b56c4622091f98416cce236c315
SHA1

2ebf1b0f20b80404a190df7f264a7ee8a6ed628b
SHA256

3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a
SHA512

90bf7ebafc3ad1576e8f1c233b6b7f161eace22eab5106b5fe7b539ed866a6b9b19bc809c3f5a32e782a30928466bed23ece2cddbf96cf79cf70513688299182
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qz:acallSllG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3596	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3596	svchcst.exe
4168	svchcst.exe
4192	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe
3596	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
3596	svchcst.exe
3596	svchcst.exe
4168	svchcst.exe
4168	svchcst.exe
4192	svchcst.exe
4192	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1244	1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe	78
PID 1776 wrote to memory of 1244	1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe	78
PID 1776 wrote to memory of 1244	1776	3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe	78
PID 1244 wrote to memory of 3596	1244	WScript.exe	80
PID 1244 wrote to memory of 3596	1244	WScript.exe	80
PID 1244 wrote to memory of 3596	1244	WScript.exe	80
PID 3596 wrote to memory of 2548	3596	svchcst.exe	81
PID 3596 wrote to memory of 2548	3596	svchcst.exe	81
PID 3596 wrote to memory of 2548	3596	svchcst.exe	81
PID 3596 wrote to memory of 2292	3596	svchcst.exe	82
PID 3596 wrote to memory of 2292	3596	svchcst.exe	82
PID 3596 wrote to memory of 2292	3596	svchcst.exe	82
PID 2548 wrote to memory of 4168	2548	WScript.exe	84
PID 2548 wrote to memory of 4168	2548	WScript.exe	84
PID 2548 wrote to memory of 4168	2548	WScript.exe	84
PID 2292 wrote to memory of 4192	2292	WScript.exe	83
PID 2292 wrote to memory of 4192	2292	WScript.exe	83
PID 2292 wrote to memory of 4192	2292	WScript.exe	83

C:\Users\Admin\AppData\Local\Temp\3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe
"C:\Users\Admin\AppData\Local\Temp\3ebeaff4f9676e642a38686abffb7a8420254e9ec22d322bc1f10843b75afc8a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4168
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b05af49ff459f99875978f1d3fe4d37b

SHA1
8d6f28ec31a2ae64e625953fbe858876ce80f6ce

SHA256
75fa827808816de94169de1d32617e4792374b77eb74d4eee3b24ceb8f0ef744

SHA512
95636cae45570a3382457e368197f398650193d7da162a8526020c33d9f729eacf7d48360b98edae207ccb1550559b4a7e123334258e23e0bf483d9fa40cfb81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7dafa2ea65d1c5e597ca0f8d32cf2a00

SHA1
49d1b47de956e5d9103fe10536d5a545f7d5bee2

SHA256
bcc1a6b9ad4ecfa016a0119310e60c5580888cd16df61229bf127de7a13729a5

SHA512
d500cbd141ef928440054829c72fa40a76fe0ce00162d50a2fd7c6b2825e24e324397d2334613f96dd716703a53f767a410e9ebc9ab6ffa7936f26b344b51266

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
41250c2c3e5c10c099887af5d35d1895

SHA1
05afdd87dd7cb58178c04091e5dadff560524a8e

SHA256
0b6674feb6087447d6c37176c8b32841f452c76413d9fe679d52c1b5fab7c159

SHA512
7bc407b29d135b0e31a295eefcdaaecbf44411768b1aaa37a6fd2d2ca248cbb74fcc0aadd9365e7b64d02688c235f47439f11b520d469db81665b6931176a3d4

Download Submit
memory/1776-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3596-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3596-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4168-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4168-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4192-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4192-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download