Overview

overview

7

Static

static

3

46c487e6e3...29.exe

windows7-x64

7

46c487e6e3...29.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 20:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe

  • Size

    1.1MB

  • MD5

    eeed20ae7a99c89fab5ae8ffffdaeae9

  • SHA1

    a4abb34317a8a6b48240f93b2db1242a0cc06e7b

  • SHA256

    46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29

  • SHA512

    28d74bbf1fb9d6d48e806bc615d749ef6d2766d4ffaecc776ca3e9fc583c9596a67277a77d7f578ebdb14a45ed96980f78d8f5311e87c6ad84b37b1de876379a

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QH:CcaClSFlG4ZM7QzMA

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe
    "C:\Users\Admin\AppData\Local\Temp\46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3316
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4496
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3100

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
          Filesize

          92B

          MD5

          67b9b3e2ded7086f393ebbc36c5e7bca

          SHA1

          e6299d0450b9a92a18cc23b5704a2b475652c790

          SHA256

          44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

          SHA512

          826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
          Filesize

          753B

          MD5

          4045b73ff4fe05dbe73a030b336f45de

          SHA1

          e20f7138c8fa9df226c2f96b6800a2e82a2d6e2c

          SHA256

          b96ae81ffe7e7c5c3f8ed5d3126b2e4f2b2191ab6ef1ce17b334bdc7cea8ddf4

          SHA512

          12bea91a9e989838a90a1dab6520e3aaf9b535afae661983b5a8dc27ba4676ac6e7e545a0b90e7e001cc85c5b430b370c68148c3a9082c5151b40d0b78f6370a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
          Filesize

          696B

          MD5

          d0a7594dbfff2934bae6e22de9f233fe

          SHA1

          b2a276918a0f5fb2da4440d77ec65c3c644dcf74

          SHA256

          b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

          SHA512

          3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
          Filesize

          1.1MB

          MD5

          c3fa8c70440d475229754ee719aa3f7c

          SHA1

          faf0bcc51eea517d1e00ca07986668a045802865

          SHA256

          12fac35b70ed61bd7fc72150c57172fbca4185c13ca91cbb29bb1329b17b5552

          SHA512

          1e2abcdf0861b5e107f10da9c67f700628627e62575dbc196692bbcc2c45f4899c12f52b0f4f18abe75914d9781a8bfffa9bb684fcb428086f67d88b445c5919

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
          Filesize

          1.1MB

          MD5

          1dd51e10a0e2847bc332874ae897cee3

          SHA1

          7bf913f6c3a72eb2ac748f6f97ac1c4e9e168645

          SHA256

          6d21c205e9c064ff152c4e2f50842ec9ed45b4334f56e71e4a3bcead68012eee

          SHA512

          7b5f77a10dd1349172cb0c129707b7d29982a49dd9f9176388db13ca884e079c415035d98dc44737846c9bb8a721113da0c49d9d49cc08c4a6c037f921aae0d9

          Download Submit

        • memory/2324-8-0x0000000000400000-0x0000000000551000-memory.dmp

          Filesize

          1.3MB

          Download