04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
Size

1.1MB
MD5

df50218007332c5d6d49f16bdcae4fa2
SHA1

be881b7ca19f6442e74e790233154f6c8688ce88
SHA256

04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251
SHA512

060ef08e95bb55f3db9a6f777987c50d539af47bd3f987283fc34aa7088fc94903828afbe928bb4dc87f940333d32b7bc2dfd15e6f043e7ef77b4e3a94e9c024
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzM5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2296	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2296	svchcst.exe
4684	svchcst.exe
3588	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
2296	svchcst.exe
2296	svchcst.exe
4684	svchcst.exe
4684	svchcst.exe
3588	svchcst.exe
3588	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 768	4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe	83
PID 4236 wrote to memory of 768	4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe	83
PID 4236 wrote to memory of 768	4236	04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe	83
PID 768 wrote to memory of 2296	768	WScript.exe	92
PID 768 wrote to memory of 2296	768	WScript.exe	92
PID 768 wrote to memory of 2296	768	WScript.exe	92
PID 2296 wrote to memory of 2928	2296	svchcst.exe	93
PID 2296 wrote to memory of 2928	2296	svchcst.exe	93
PID 2296 wrote to memory of 2928	2296	svchcst.exe	93
PID 2296 wrote to memory of 2372	2296	svchcst.exe	94
PID 2296 wrote to memory of 2372	2296	svchcst.exe	94
PID 2296 wrote to memory of 2372	2296	svchcst.exe	94
PID 2928 wrote to memory of 4684	2928	WScript.exe	98
PID 2928 wrote to memory of 4684	2928	WScript.exe	98
PID 2928 wrote to memory of 4684	2928	WScript.exe	98
PID 2372 wrote to memory of 3588	2372	WScript.exe	97
PID 2372 wrote to memory of 3588	2372	WScript.exe	97
PID 2372 wrote to memory of 3588	2372	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe
"C:\Users\Admin\AppData\Local\Temp\04ab55c8ba124e2e05e7144050d2dbfeabe0d1d2a72e23338088461aaff20251.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4684
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c5004d4b36c4b0a9753978154878953d

SHA1
d8c0e9eed024468a776906aeafe938ee20fdf2fe

SHA256
0cb91df5a24d4698f4c6fe11b41740f8cd1fa037d8c2a60e3b2e3cbdfdfeafb2

SHA512
00a7111738535bce3bc40a57605b99730979ff8330a629512564759c7d2eae12324464cbb644027061004d97687113b12d1a576f4314d7f49bd1e4862158f887

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7bea19a733b3fb65261567a65a690947

SHA1
646446e907eb66e4609971b6672ec4911cfe0884

SHA256
28ad54d7d0545449db23ac60a6061fb9f62c803b58a7ad76390b73fa70b24164

SHA512
18d0e45aed2def898b1bf731aec8b757dae29f588f34323f80bf5fe1df0353bf4d91cc68a1a1acda76062641c2b09a625a099041145e464c8c716036c1c5991f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
26de1bf619ea65cf976fb3c5f96ff058

SHA1
0f3fbbcbb48274861c489ff578ff7cacbd055c2b

SHA256
ebd8a378ac1e03631b4501fe70a06e1f32d5ba49ff071ef2a2f0dfe9c9a79b6c

SHA512
7ca9abd348921e8db72035ff6652a8363b720d7d85d82438ae1a8c9fa24a89359a34d887ed45130443b5a1f3b35f17feb6dba9795e22957ae4a12c7837e25a12

Download Submit
memory/4236-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download