1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe
Size

1.1MB
MD5

1903284760cec9f3b0b39d3d3abb798b
SHA1

652f2f3fc34fee853b1536d295b90821ce58eadb
SHA256

1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d
SHA512

1966d2f1107cf52058a2dd69710f021a2bb727351c2d9767672d99ef5f4bfc8b07fa129766fa50569bfb03e69fe91a043f1d0212b4a8a550d225b889f1be277c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QF:acallSllG4ZM7QzMe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2840	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	svchcst.exe
3024	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2496	WScript.exe
3040	WScript.exe
3040	WScript.exe
2496	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe
2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe
2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe
2840	svchcst.exe
2840	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2496	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	29
PID 2292 wrote to memory of 2496	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	29
PID 2292 wrote to memory of 2496	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	29
PID 2292 wrote to memory of 2496	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	29
PID 2292 wrote to memory of 3040	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	28
PID 2292 wrote to memory of 3040	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	28
PID 2292 wrote to memory of 3040	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	28
PID 2292 wrote to memory of 3040	2292	1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe	28
PID 3040 wrote to memory of 3024	3040	WScript.exe	32
PID 3040 wrote to memory of 3024	3040	WScript.exe	32
PID 3040 wrote to memory of 3024	3040	WScript.exe	32
PID 3040 wrote to memory of 3024	3040	WScript.exe	32
PID 2496 wrote to memory of 2840	2496	WScript.exe	31
PID 2496 wrote to memory of 2840	2496	WScript.exe	31
PID 2496 wrote to memory of 2840	2496	WScript.exe	31
PID 2496 wrote to memory of 2840	2496	WScript.exe	31

C:\Users\Admin\AppData\Local\Temp\1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe
"C:\Users\Admin\AppData\Local\Temp\1ba75c39e8feb3367e2ceab48240bbe50c9d8947b695cee9789bc27e153c200d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
294165b95217b58f43a2e676f6e9cab1

SHA1
7ea52d10422b37fbb5a9381dbc30b5b80cefb508

SHA256
8c08b5a352a76d43ab3ac22352064f937011da5314f6b896a79fdbf8451a5c61

SHA512
b3b343fe2a7cbfb2aa61db64d055ccdacef77639e604f3d4f7946c4fa83a72203cec53fa513df128456f7da5e973ae9082f72f7ee6b0c2db09b003dc69d37ac2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4333b9967f831bd7243281725a6ab21f

SHA1
fc190a95136c38ba727aa79c6487847f3e40a11b

SHA256
fdc7cf0f093a436ea1c66aae453a96854eeffb4f0e82876facfe2755fd9cff3d

SHA512
e8748079bda4564ea52c31f31bf8e1ddd4ece3118810342c1727377f1c23b37eb8e8ab91ec93bf99688d2de8af7a9e0a1dd594ac88ffa784c26f4757868c27d7

Download Submit
memory/2292-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-18-0x00000000051A0000-0x00000000052FF000-memory.dmp

Filesize
1.4MB

Download
memory/2496-19-0x00000000051A0000-0x00000000052FF000-memory.dmp

Filesize
1.4MB

Download
memory/2840-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download