58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe
Size

1.1MB
MD5

76b4ecdd69ea4b912c166a958aedf825
SHA1

05ae56ed405efc7eb03b5373704c86819e1d5c26
SHA256

58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778
SHA512

0e08fb35127f9916624a578a99d736e8ffee380385b90d64ad6b9a83bbd80bf848624e6ba61eb12ce027f6fc802484659b0f7c9c1acfce671dfe2453251d83fa
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzM4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2476	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
2476	svchcst.exe
1172	svchcst.exe
2940	svchcst.exe
1028	svchcst.exe

Loads dropped DLL 6 IoCs

pid	Process
2688	WScript.exe
2648	WScript.exe
2648	WScript.exe
2688	WScript.exe
2688	WScript.exe
628	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe
1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
1172	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe
1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe
2476	svchcst.exe
2476	svchcst.exe
1172	svchcst.exe
1172	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2648	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	28
PID 1284 wrote to memory of 2648	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	28
PID 1284 wrote to memory of 2648	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	28
PID 1284 wrote to memory of 2648	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	28
PID 1284 wrote to memory of 2688	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	29
PID 1284 wrote to memory of 2688	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	29
PID 1284 wrote to memory of 2688	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	29
PID 1284 wrote to memory of 2688	1284	58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe	29
PID 2648 wrote to memory of 2476	2648	WScript.exe	32
PID 2648 wrote to memory of 2476	2648	WScript.exe	32
PID 2648 wrote to memory of 2476	2648	WScript.exe	32
PID 2648 wrote to memory of 2476	2648	WScript.exe	32
PID 2688 wrote to memory of 1172	2688	WScript.exe	31
PID 2688 wrote to memory of 1172	2688	WScript.exe	31
PID 2688 wrote to memory of 1172	2688	WScript.exe	31
PID 2688 wrote to memory of 1172	2688	WScript.exe	31
PID 1172 wrote to memory of 628	1172	svchcst.exe	33
PID 1172 wrote to memory of 628	1172	svchcst.exe	33
PID 1172 wrote to memory of 628	1172	svchcst.exe	33
PID 1172 wrote to memory of 628	1172	svchcst.exe	33
PID 2688 wrote to memory of 2940	2688	WScript.exe	34
PID 2688 wrote to memory of 2940	2688	WScript.exe	34
PID 2688 wrote to memory of 2940	2688	WScript.exe	34
PID 2688 wrote to memory of 2940	2688	WScript.exe	34
PID 628 wrote to memory of 1028	628	WScript.exe	35
PID 628 wrote to memory of 1028	628	WScript.exe	35
PID 628 wrote to memory of 1028	628	WScript.exe	35
PID 628 wrote to memory of 1028	628	WScript.exe	35

C:\Users\Admin\AppData\Local\Temp\58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe
"C:\Users\Admin\AppData\Local\Temp\58effa98abfa11de0272d9a027601b8c2173cbd1f5ee73cc653102231b3de778.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1ed8c1309e13c84b14f0b8ef2e50570a

SHA1
ce92161023cfe682a69ecc39a4c423552a71c6e6

SHA256
39c70c1fd6c8d7419ed4912f67cef3b882911e211445399d55df4b3d2afff797

SHA512
e18ba646055dbaaab19b2732c9dd27667aadc02929ab22b686bf1138565108087837db3e3dfd048bbca1015456bf234d6b6f9c2de3c2ab50ff229628705a5bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
215d1da2b82d57eedcf92e4b8add08a7

SHA1
781ee6d1417bb18806e0617e8d6ad716f0983c4a

SHA256
68a4597331fc9bc769b778d937a8f2a0645265a78fb95d50d795326ad80885a2

SHA512
3a964cb9d949a2aea6d9b9ae12d6b17814b81c29dfb1cf7800dc283f93bc71f5bb6190cab12305d8998d283035998aaf9e3c85e7ae3a289b73121181b4654e14

Download Submit
memory/1284-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download