6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
Size

1.1MB
MD5

fea8accdfb20e7974dc7f65cd644b809
SHA1

16a251f7610784026d354d59f5e94b1ef8436aff
SHA256

6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d
SHA512

6d75e0b0989437a78471e05b2471cc42c3086f937aa30cfd8a524f241f7cfe3e662079aed80178d8c415bd07f378aca5e68a7fa351439d4910852f66ccb750ca
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QY:acallSllG4ZM7QzMf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	svchcst.exe
2992	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
3064	WScript.exe
2516	WScript.exe
3064	WScript.exe
2516	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
2788	svchcst.exe
2788	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2516	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	29
PID 2888 wrote to memory of 2516	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	29
PID 2888 wrote to memory of 2516	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	29
PID 2888 wrote to memory of 2516	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	29
PID 2888 wrote to memory of 3064	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	28
PID 2888 wrote to memory of 3064	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	28
PID 2888 wrote to memory of 3064	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	28
PID 2888 wrote to memory of 3064	2888	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	28
PID 3064 wrote to memory of 2788	3064	WScript.exe	31
PID 3064 wrote to memory of 2788	3064	WScript.exe	31
PID 3064 wrote to memory of 2788	3064	WScript.exe	31
PID 3064 wrote to memory of 2788	3064	WScript.exe	31
PID 2516 wrote to memory of 2992	2516	WScript.exe	32
PID 2516 wrote to memory of 2992	2516	WScript.exe	32
PID 2516 wrote to memory of 2992	2516	WScript.exe	32
PID 2516 wrote to memory of 2992	2516	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
"C:\Users\Admin\AppData\Local\Temp\6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4174cd325ac93bb52824a0ee96ea5105

SHA1
a81da775db4e693a793b9c42e7881e8338eb4c3e

SHA256
a96f0202d155ef17f240b0018cc7f31fac7a9c7379a3a929bf1bdda09153855b

SHA512
2d3329f585ec8e08a0f1c229d27b0eee6a24113823aeadf3897d380847046d3c2494118a48eaecd7f2c67db95a9f2513dcbcb3d199be4bdf91977c9a74162902

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
88173b03b9b592f5fc5ee1bb22df7699

SHA1
5f3061b4f45a6d32f652ff48ebddcea22077d4cb

SHA256
7e4f4811e16caef4e68b2d8b7a2889f9bd980cef4f3341ccc9d6a487b5c549f2

SHA512
bf73370b1701401b3943eaed1265a0a2311764f327ade474c84353eff2dac224540d21aa4f36d02b73d6ae1eb1bb685dac6f81df4c9beb2d64c292829c8a12ec

Download Submit
memory/2516-21-0x0000000005160000-0x00000000052BF000-memory.dmp

Filesize
1.4MB

Download
memory/2788-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-16-0x0000000005390000-0x00000000054EF000-memory.dmp

Filesize
1.4MB

Download