3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 06:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe
Size

1.1MB
MD5

ab9a0100a8663d039d5246b0c4cdba40
SHA1

397cd8c26b3016f7f1de68dc111168ac77b20970
SHA256

3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a
SHA512

9112ca9daf2e932b28c800753efe9ea8fef147bdf5d89a50191ed66d901a52d06e5238342a29cae8a33e06c77331c1eb2c3ea075aa734804c14009c3b94a8f9f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzMZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
852	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
852	svchcst.exe
2944	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2536	WScript.exe
3040	WScript.exe
2536	WScript.exe
3040	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe
2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe
852	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe
2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe
852	svchcst.exe
852	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2536	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	29
PID 2184 wrote to memory of 2536	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	29
PID 2184 wrote to memory of 2536	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	29
PID 2184 wrote to memory of 2536	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	29
PID 2184 wrote to memory of 3040	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	28
PID 2184 wrote to memory of 3040	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	28
PID 2184 wrote to memory of 3040	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	28
PID 2184 wrote to memory of 3040	2184	3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe	28
PID 2536 wrote to memory of 2944	2536	WScript.exe	31
PID 2536 wrote to memory of 2944	2536	WScript.exe	31
PID 2536 wrote to memory of 2944	2536	WScript.exe	31
PID 2536 wrote to memory of 2944	2536	WScript.exe	31
PID 3040 wrote to memory of 852	3040	WScript.exe	32
PID 3040 wrote to memory of 852	3040	WScript.exe	32
PID 3040 wrote to memory of 852	3040	WScript.exe	32
PID 3040 wrote to memory of 852	3040	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe
"C:\Users\Admin\AppData\Local\Temp\3395519b00baa0a7efd81310e7db27c2941028d928fc4e461d2fdbc84563319a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0602b2bcef5d371bbc037adb844b98ad

SHA1
0d96f809e6d4784054e61fd4631e3b2035767d1d

SHA256
bf40f8cc0e83152f33514c1e9104d200e4a7e8a52091aecdc8046f8ad2def164

SHA512
26e7e5ccd0ca24227ef7e31d124a7862f92fee583c5b5ad1322e8d4e863cda20cb2ff2dbfd8085c34b0fd33b6b534b47588dd1412ad7b7dca00491856b8efd2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3303136b2de86f8c50f70af62729b606

SHA1
b3ca621934e3f91122db4945e33fd7c05c6f55a5

SHA256
1f0da0739dbcf2acae27739163fde5b16cc9d31d55d3bbc77b226e6e3a97a901

SHA512
5adebe8c358ee1f0a332603f1749599f58b72808ba07b31169474cada929ebf9e1a9f8316934eb863925ffb44f63d6f1ab766d437414bf1e9294dfe0b101b932

Download Submit
memory/2184-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download