0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
Size

1.1MB
MD5

fb6e3ed9eab68c356e68d0a59c793975
SHA1

cc692a82518e9ab5c66664618517884d1ff83c8e
SHA256

0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11
SHA512

084db175bb7df63d5b981fc641a176e07ffb3cf9e5d10f55f1656279a4ad57b5d86870232274c366bb269f13920fe3c980fa3ddbe1cb5d34fc0707d98277b076
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qs:CcaClSFlG4ZM7QzMr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3376	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3376	svchcst.exe
208	svchcst.exe
5092	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe
3376	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
3376	svchcst.exe
3376	svchcst.exe
208	svchcst.exe
208	svchcst.exe
5092	svchcst.exe
5092	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3092	1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe	83
PID 1560 wrote to memory of 3092	1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe	83
PID 1560 wrote to memory of 3092	1560	0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe	83
PID 3092 wrote to memory of 3376	3092	WScript.exe	95
PID 3092 wrote to memory of 3376	3092	WScript.exe	95
PID 3092 wrote to memory of 3376	3092	WScript.exe	95
PID 3376 wrote to memory of 3208	3376	svchcst.exe	96
PID 3376 wrote to memory of 3208	3376	svchcst.exe	96
PID 3376 wrote to memory of 3208	3376	svchcst.exe	96
PID 3376 wrote to memory of 4160	3376	svchcst.exe	97
PID 3376 wrote to memory of 4160	3376	svchcst.exe	97
PID 3376 wrote to memory of 4160	3376	svchcst.exe	97
PID 3208 wrote to memory of 208	3208	WScript.exe	100
PID 3208 wrote to memory of 208	3208	WScript.exe	100
PID 3208 wrote to memory of 208	3208	WScript.exe	100
PID 4160 wrote to memory of 5092	4160	WScript.exe	101
PID 4160 wrote to memory of 5092	4160	WScript.exe	101
PID 4160 wrote to memory of 5092	4160	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe
"C:\Users\Admin\AppData\Local\Temp\0827ee0f0b958908b18cb466312103bd7e2626bd2edb445f81ff9c10f5e51e11.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:208
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9e169cd1a7c2404b8c8d8f398b344f6b

SHA1
964edd084f91e26f5532122546307cbc9143ab06

SHA256
b95eb54a393c62586e64f000b1804ecf66c35cddd30fdd373d6d0f848a75f7fb

SHA512
70007ba0cbd915496aa133968e19d4249334a931f610371b192345e3f5862ac14968f56abb4c4b7264e29a62978ffd9bf10ba962c06339404c8c2a6b58a86afb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
afb479fb079180038a48456276c4800b

SHA1
dcb96e20d3322c87c25873d876042b30eb944541

SHA256
e86c4a4d0a41ea6ad8576cabee409413ee8252b68ca9860f3d0b4f9d6d569c72

SHA512
6ce451f44c8c08d46ab0b5e47d185cfc77625e12b3e85c3076a6145470f7af1fdd294658717052c52b54ab34a4428238dd668fb6cf93e3137d8d038e1ed3e37f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
766290cf2a865f696ccc66cbe682052e

SHA1
e3dcf9dc8e53fddc745d3260cb318b3739f1b561

SHA256
b48cfc5e68f671df7fa4cee078d3ff1f76769688a0bfa7ad2b2d6e90e7ac196a

SHA512
0a023acaafc2c0e8f05c4d03406735567022ecd8efb72b75d9dfa593fa9acb766d1a59abd108b6e83dd94090cc8df14ad7e6bc2d4693ada121fec67185a9e692

Download Submit
memory/1560-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download