9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
Size

1.1MB
MD5

cc9b887a041ae04a044cc187edacac63
SHA1

6304c5706e569d56f464d14238b3868193ac9dd8
SHA256

9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11
SHA512

dbf5045059ff7f976167457392743a6f93379d7bb3e56739d12600b785f9e154320f3b83ae63f2b72d1722afd8edd46367ff05c3f695133caa82bcb58abf3167
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q9:CcaClSFlG4ZM7QzMG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3076	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3076	svchcst.exe
1680	svchcst.exe
4160	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe
3076	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
3076	svchcst.exe
3076	svchcst.exe
4160	svchcst.exe
4160	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3220	780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe	83
PID 780 wrote to memory of 3220	780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe	83
PID 780 wrote to memory of 3220	780	9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe	83
PID 3220 wrote to memory of 3076	3220	WScript.exe	90
PID 3220 wrote to memory of 3076	3220	WScript.exe	90
PID 3220 wrote to memory of 3076	3220	WScript.exe	90
PID 3076 wrote to memory of 712	3076	svchcst.exe	91
PID 3076 wrote to memory of 712	3076	svchcst.exe	91
PID 3076 wrote to memory of 712	3076	svchcst.exe	91
PID 3076 wrote to memory of 4676	3076	svchcst.exe	92
PID 3076 wrote to memory of 4676	3076	svchcst.exe	92
PID 3076 wrote to memory of 4676	3076	svchcst.exe	92
PID 4676 wrote to memory of 1680	4676	WScript.exe	95
PID 4676 wrote to memory of 1680	4676	WScript.exe	95
PID 4676 wrote to memory of 1680	4676	WScript.exe	95
PID 712 wrote to memory of 4160	712	WScript.exe	96
PID 712 wrote to memory of 4160	712	WScript.exe	96
PID 712 wrote to memory of 4160	712	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe
"C:\Users\Admin\AppData\Local\Temp\9ccd86ca24848e1b9a4a3ed672434b13137497157bc05679c26086981d090b11.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:712
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4160
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bcfeae91987626dec298c5c038abfb04

SHA1
2c7ea7acdbf34034965137514b70197e4ebd7088

SHA256
005823327be1b0ad36d6f7440043c4055cea1d55c2e49b76f5ad1b74a6ae937f

SHA512
dc7a3d195b86847964ee1ee70f3e6aa387e0ed1c96a7d5f53ec4fad6c81a5cdd2d1c5b07703041a5c1953e5536e13fc27491cc5f32a43f135028dbee3fa82422

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2f2ba636ac7973ffcf880f935b5ac0ca

SHA1
1e9e3bae3d615d3db9096fd36ea8b7e7c314aa53

SHA256
f332c04a28205d026715363ae596ad3ae9387e08547717ba8177008318cdbd27

SHA512
bc802e7f016cba1c8f271e3ec7092445b99fc04920aa84f670b30d0432ed50c07205495dbe414e3b84ffd72dffddf7dc7065e70794fdd419bfe6675a9d12d406

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
810bc175cd891072955dd88ce1dfccc2

SHA1
167fed303b5b88eeb163781a0f2490855774adff

SHA256
aadb24ee56c30b98023a4dd2f0cb75ee4138b086af422bd26c92fade339b5634

SHA512
795991a15987245f8ab8916c333c612bbdb3a88f43abbec764a062a629bc28aed7138e13ddbb3a31b831c39c1000160c558766bcac2530fecbe754dadfa8d54c

Download Submit
memory/780-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download