64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc

Analysis

max time kernel
133s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
Size

1.1MB
MD5

e6f73055d0118c3d516fc0fca9c19286
SHA1

0ecbe66acf9a809784c0f569cc3ca7c68cc98dd7
SHA256

64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc
SHA512

1eea6918b35f31a3dea547aa87e29975f263bf38f4ae32ab2e995b3630f4c5df4c542f57ceafc38998174192c403c3a08e998705fc406b008251ef8f4beba705
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4852	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4852	svchcst.exe
1152	svchcst.exe
2664	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe
4852	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
4852	svchcst.exe
4852	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 4300	1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe	83
PID 1728 wrote to memory of 4300	1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe	83
PID 1728 wrote to memory of 4300	1728	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe	83
PID 4300 wrote to memory of 4852	4300	WScript.exe	94
PID 4300 wrote to memory of 4852	4300	WScript.exe	94
PID 4300 wrote to memory of 4852	4300	WScript.exe	94
PID 4852 wrote to memory of 4036	4852	svchcst.exe	95
PID 4852 wrote to memory of 4036	4852	svchcst.exe	95
PID 4852 wrote to memory of 4036	4852	svchcst.exe	95
PID 4852 wrote to memory of 3708	4852	svchcst.exe	96
PID 4852 wrote to memory of 3708	4852	svchcst.exe	96
PID 4852 wrote to memory of 3708	4852	svchcst.exe	96
PID 4036 wrote to memory of 1152	4036	WScript.exe	99
PID 4036 wrote to memory of 1152	4036	WScript.exe	99
PID 4036 wrote to memory of 1152	4036	WScript.exe	99
PID 3708 wrote to memory of 2664	3708	WScript.exe	100
PID 3708 wrote to memory of 2664	3708	WScript.exe	100
PID 3708 wrote to memory of 2664	3708	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
"C:\Users\Admin\AppData\Local\Temp\64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
727c88bbd1f5a234256a3f3f5875bf84

SHA1
0a7569bc87b9f7e4387eafcd98a25c10792ed684

SHA256
db4f060c4d424f5afbc2bc4d845dd408b12f82f612d738506a6e1df261a55a25

SHA512
3c79a663026bcb08ffdf51883fc4d54eea10bac327d36057000342330f06bba4ca1c003462f946322a8443fa3a31a9efa9248376f87b12daea179ef6f99d1bed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
be07e1fe56c4edd34c8af19b37f01ac3

SHA1
7d366f717363f0069b7472c528b4c807b4e98f97

SHA256
3ebd594c598915f6ab3a7cbd3b448e6f4f0ec62c525c2270bdfb2e351ce67150

SHA512
56773adf088f87e7068eaed3c7fde84797df83ec4cc328b3c7ebe3a4049b93a879560de3248911f7106fa8eb45eedfb0693442a4566478f72483d9c9ab606576

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
37bfaa574582225a648ed687653b6010

SHA1
a9ac21fae832e37490251d64f37f2edbbe7e9b76

SHA256
88a2369aaa1d379f96fcff2260b7136a85a008d99e541f0931b938f778a7dd38

SHA512
42db88c105489abed1edf5de5efec8f21c9918610279279257ffbac1672ca8acb4315c41dd81a56dad39a54f655618da9f1c2c1eac8bb7a317efa6e603dc8843

Download Submit
memory/1728-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download