6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d

Analysis

max time kernel
137s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
Size

1.1MB
MD5

fea8accdfb20e7974dc7f65cd644b809
SHA1

16a251f7610784026d354d59f5e94b1ef8436aff
SHA256

6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d
SHA512

6d75e0b0989437a78471e05b2471cc42c3086f937aa30cfd8a524f241f7cfe3e662079aed80178d8c415bd07f378aca5e68a7fa351439d4910852f66ccb750ca
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QY:acallSllG4ZM7QzMf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe

Deletes itself 1 IoCs

pid	Process
536	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
536	svchcst.exe
2956	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe
536	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
2956	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2956	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3652	4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	82
PID 4424 wrote to memory of 3652	4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	82
PID 4424 wrote to memory of 3652	4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	82
PID 4424 wrote to memory of 3456	4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	83
PID 4424 wrote to memory of 3456	4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	83
PID 4424 wrote to memory of 3456	4424	6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe	83
PID 3456 wrote to memory of 536	3456	WScript.exe	95
PID 3652 wrote to memory of 2956	3652	WScript.exe	94
PID 3456 wrote to memory of 536	3456	WScript.exe	95
PID 3456 wrote to memory of 536	3456	WScript.exe	95
PID 3652 wrote to memory of 2956	3652	WScript.exe	94
PID 3652 wrote to memory of 2956	3652	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
"C:\Users\Admin\AppData\Local\Temp\6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3eb7394abf0b4785d74200d2963d3941

SHA1
a4c129c683fb66eef7f4d51e9e246cd1fb5798b9

SHA256
216eab52f7fbfaf22ecff9ede995e57f6f0d5b814bb152e0adc214be8c121272

SHA512
7eaa7499d6bbd4e9ff46f8c54b51dccb4fd1683f9d5e1c3485d1c06059e866a3a59aed10f46e3d653057bec22da29aabb7b995fa7aeaf750eda6917359da6761

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
198ecba2d640933a82102f97473f632a

SHA1
cb1163f1f9f32ed24bf36fdfca76e632f0c3bca8

SHA256
9123163601de5b41ceb82429ccee028d9d2d0340d88d83ed2cfa898b61a6d136

SHA512
fcbfabb49f8d0eb01a79811fa6a12c2646a4087e227ab0e0f30c0b6779c3c9c381e47146878791376e53e68a24e493d6e839e33bd9578e651e383b886b6be793

Download Submit
memory/536-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4424-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4424-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download