04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 20:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
Size

1.1MB
MD5

df50218007332c5d6d49f16bdcae4fa2
SHA1

be881b7ca19f6442e74e790233154f6c8688ce88
SHA256

04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251
SHA512

060ef08e95bb55f3db9a6f777987c50d539af47bd3f987283fc34aa7088fc94903828afbe928bb4dc87f940333d32b7bc2dfd15e6f043e7ef77b4e3a94e9c024
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzM5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2628	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2628	svchcst.exe
1596	svchcst.exe
1692	svchcst.exe
1528	svchcst.exe
2376	svchcst.exe
452	svchcst.exe
1836	svchcst.exe
1264	svchcst.exe
2028	svchcst.exe
2624	svchcst.exe
2756	svchcst.exe
2884	svchcst.exe
2172	svchcst.exe
1784	svchcst.exe
1112	svchcst.exe
1728	svchcst.exe
360	svchcst.exe
2024	svchcst.exe
2668	svchcst.exe
548	svchcst.exe
2232	svchcst.exe
1632	svchcst.exe
1008	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2624	WScript.exe
2624	WScript.exe
2496	WScript.exe
2796	WScript.exe
2796	WScript.exe
2796	WScript.exe
2108	WScript.exe
900	WScript.exe
1356	WScript.exe
1356	WScript.exe
3028	WScript.exe
3028	WScript.exe
2612	WScript.exe
2544	WScript.exe
1632	WScript.exe
1632	WScript.exe
1008	WScript.exe
1008	WScript.exe
2412	WScript.exe
2412	WScript.exe
1360	WScript.exe
1360	WScript.exe
2184	WScript.exe
2184	WScript.exe
2824	WScript.exe
2824	WScript.exe
2904	WScript.exe
2904	WScript.exe
2456	WScript.exe
2456	WScript.exe
1492	WScript.exe
1492	WScript.exe
636	WScript.exe
636	WScript.exe
2260	WScript.exe
2260	WScript.exe
2236	WScript.exe
2236	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
2628	svchcst.exe
2628	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe
452	svchcst.exe
452	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1264	svchcst.exe
1264	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
1112	svchcst.exe
1112	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
360	svchcst.exe
360	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
548	svchcst.exe
548	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2624	2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe	28
PID 2040 wrote to memory of 2624	2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe	28
PID 2040 wrote to memory of 2624	2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe	28
PID 2040 wrote to memory of 2624	2040	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe	28
PID 2624 wrote to memory of 2628	2624	WScript.exe	30
PID 2624 wrote to memory of 2628	2624	WScript.exe	30
PID 2624 wrote to memory of 2628	2624	WScript.exe	30
PID 2624 wrote to memory of 2628	2624	WScript.exe	30
PID 2628 wrote to memory of 2496	2628	svchcst.exe	31
PID 2628 wrote to memory of 2496	2628	svchcst.exe	31
PID 2628 wrote to memory of 2496	2628	svchcst.exe	31
PID 2628 wrote to memory of 2496	2628	svchcst.exe	31
PID 2496 wrote to memory of 1596	2496	WScript.exe	32
PID 2496 wrote to memory of 1596	2496	WScript.exe	32
PID 2496 wrote to memory of 1596	2496	WScript.exe	32
PID 2496 wrote to memory of 1596	2496	WScript.exe	32
PID 1596 wrote to memory of 2796	1596	svchcst.exe	33
PID 1596 wrote to memory of 2796	1596	svchcst.exe	33
PID 1596 wrote to memory of 2796	1596	svchcst.exe	33
PID 1596 wrote to memory of 2796	1596	svchcst.exe	33
PID 2796 wrote to memory of 1692	2796	WScript.exe	34
PID 2796 wrote to memory of 1692	2796	WScript.exe	34
PID 2796 wrote to memory of 1692	2796	WScript.exe	34
PID 2796 wrote to memory of 1692	2796	WScript.exe	34
PID 1692 wrote to memory of 2336	1692	svchcst.exe	35
PID 1692 wrote to memory of 2336	1692	svchcst.exe	35
PID 1692 wrote to memory of 2336	1692	svchcst.exe	35
PID 1692 wrote to memory of 2336	1692	svchcst.exe	35
PID 2796 wrote to memory of 1528	2796	WScript.exe	36
PID 2796 wrote to memory of 1528	2796	WScript.exe	36
PID 2796 wrote to memory of 1528	2796	WScript.exe	36
PID 2796 wrote to memory of 1528	2796	WScript.exe	36
PID 1528 wrote to memory of 2108	1528	svchcst.exe	37
PID 1528 wrote to memory of 2108	1528	svchcst.exe	37
PID 1528 wrote to memory of 2108	1528	svchcst.exe	37
PID 1528 wrote to memory of 2108	1528	svchcst.exe	37
PID 2108 wrote to memory of 2376	2108	WScript.exe	38
PID 2108 wrote to memory of 2376	2108	WScript.exe	38
PID 2108 wrote to memory of 2376	2108	WScript.exe	38
PID 2108 wrote to memory of 2376	2108	WScript.exe	38
PID 2376 wrote to memory of 900	2376	svchcst.exe	39
PID 2376 wrote to memory of 900	2376	svchcst.exe	39
PID 2376 wrote to memory of 900	2376	svchcst.exe	39
PID 2376 wrote to memory of 900	2376	svchcst.exe	39
PID 900 wrote to memory of 452	900	WScript.exe	40
PID 900 wrote to memory of 452	900	WScript.exe	40
PID 900 wrote to memory of 452	900	WScript.exe	40
PID 900 wrote to memory of 452	900	WScript.exe	40
PID 452 wrote to memory of 1356	452	svchcst.exe	41
PID 452 wrote to memory of 1356	452	svchcst.exe	41
PID 452 wrote to memory of 1356	452	svchcst.exe	41
PID 452 wrote to memory of 1356	452	svchcst.exe	41
PID 1356 wrote to memory of 1836	1356	WScript.exe	42
PID 1356 wrote to memory of 1836	1356	WScript.exe	42
PID 1356 wrote to memory of 1836	1356	WScript.exe	42
PID 1356 wrote to memory of 1836	1356	WScript.exe	42
PID 1836 wrote to memory of 2868	1836	svchcst.exe	43
PID 1836 wrote to memory of 2868	1836	svchcst.exe	43
PID 1836 wrote to memory of 2868	1836	svchcst.exe	43
PID 1836 wrote to memory of 2868	1836	svchcst.exe	43
PID 1356 wrote to memory of 1264	1356	WScript.exe	46
PID 1356 wrote to memory of 1264	1356	WScript.exe	46
PID 1356 wrote to memory of 1264	1356	WScript.exe	46
PID 1356 wrote to memory of 1264	1356	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
"C:\Users\Admin\AppData\Local\Temp\04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0f8917d3dc651105bf8f7356619bd8bb

SHA1
5d25fa4c3d4cb389fd19e12d82886a83660783ec

SHA256
a0a1c347e538e215f614044e26341c7e75d308255e83c9f2bc737af43e5f27e8

SHA512
60eb9f2cd8c41cd2ef4f2bb74628c0ed8b442678de208d5b684779fdc2e9f00b137aa15f2677199ed3330ff70381e77b43e4e19b31161992fa50e644c9d4e17f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
084563ab6c59b69d89f752ecb08a52a7

SHA1
49dfbefa15a3f9d0e7f42c4bf0e7a51debb26427

SHA256
0ea6f74c56ee5b92e65efa544cd235bbdcd01a2075c87ebe7c78f04eb6eee371

SHA512
4babe6f89d8c98640275f1b72c645aad9ce3ef18c0bdd4ab35fabf0596150949375701bffaade792c5807d0db37c1d0a79b7d5f6e87ffd15f86ac553b7ac3b24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
620c10bbd12aece9e906c35782d5b7ac

SHA1
85c9830720594b58611857655b523a8fd3ee0afb

SHA256
d89386f4b8cb1e88e6367170ccba5974ff8e8da247574980eaf89f6d30282e1a

SHA512
e57fb2e732bf64c890872f579f11a43ed4ce8756d7269912bb8831afe344e6bab643e68933220f4bc42ca0914d7ae4bd19941961b69a664bb943ea8bd04615a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2134d30d7d290a119b2c86b2b6b78267

SHA1
6498d8e559fb5981cd437939de702dea49b5b580

SHA256
b5bd5d7fbca0f44cd32298be1b4915ddb087a6e745eb6a249b429c5eab4d0097

SHA512
8fd485e35bc7fd1d2a78ccf3f78f5960ab64b05dc04431f1c4993c18699c40fb5fcebf8f961696200af58cefff765bbf9861728af7b563141ab6332053a4ce49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
80d7bb4f0a522ab6f24da9cc75bfa219

SHA1
f046dc6cdc663a5c60b1a27cf8e53a160f16adba

SHA256
96fcc91dbc67877237c6336ea2c1758c64674bf21fea7484528b234a7fb295f3

SHA512
4c6b969dc5fd8495c34f53c34a4c767ef7105d6c7ee40dead5f891f0022baa6bf72b4231d6b1377dacd3a3f9985bfe8e2c0bd56ab7f4c5b644360da84e86651a

Download Submit
memory/2040-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download