71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
Size

1.1MB
MD5

022ac5dfc456dacd5a2b1c2f1726dc8c
SHA1

480fff24d3352ca3aae873894f1d9d02715c594b
SHA256

71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e
SHA512

64e0b266bf5a70510debb32759b7621b87839b05284efe29d306d943a3cee4ecfd11f62a43fb4b363ad953c91d785c65db4d6c7704f15e7bbe5e1f6bc9c3f6fa
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QD:CcaClSFlG4ZM7QzMk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3172	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3172	svchcst.exe
4136	svchcst.exe
4288	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe
3172	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
3172	svchcst.exe
3172	svchcst.exe
4136	svchcst.exe
4136	svchcst.exe
4288	svchcst.exe
4288	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1528	3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe	83
PID 3984 wrote to memory of 1528	3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe	83
PID 3984 wrote to memory of 1528	3984	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe	83
PID 1528 wrote to memory of 3172	1528	WScript.exe	95
PID 1528 wrote to memory of 3172	1528	WScript.exe	95
PID 1528 wrote to memory of 3172	1528	WScript.exe	95
PID 3172 wrote to memory of 4372	3172	svchcst.exe	96
PID 3172 wrote to memory of 4372	3172	svchcst.exe	96
PID 3172 wrote to memory of 4372	3172	svchcst.exe	96
PID 3172 wrote to memory of 4904	3172	svchcst.exe	97
PID 3172 wrote to memory of 4904	3172	svchcst.exe	97
PID 3172 wrote to memory of 4904	3172	svchcst.exe	97
PID 4904 wrote to memory of 4136	4904	WScript.exe	100
PID 4904 wrote to memory of 4136	4904	WScript.exe	100
PID 4904 wrote to memory of 4136	4904	WScript.exe	100
PID 4372 wrote to memory of 4288	4372	WScript.exe	101
PID 4372 wrote to memory of 4288	4372	WScript.exe	101
PID 4372 wrote to memory of 4288	4372	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
"C:\Users\Admin\AppData\Local\Temp\71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4288
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f9137e45c9c5c0cac1270e67402c7610

SHA1
d48d4bd979eeac86f72967bdc00b70a96e3d8954

SHA256
425347ed1102d4e6b1aefe299f3d05626113931be94699c865ecdd8df44346b8

SHA512
fd1bf2144ea21c157920956eabbf530b414b86f3f7833949eeae5c2ef37e8b1705b9ffbfaeb6ab44e2d8d52ca03f0528f8d85eeca98267339b41f1d8e88b6424

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9b77a745eb15ba47fee80b3704dedaa

SHA1
304bc667214a55942f29ddc6bc11822782f0caaf

SHA256
ceee8da451a27f809d9653db001c60c0c70b4960b7b36afb2f87f27740177785

SHA512
d5dac8182078f515a62db0ebc241fb30bd7683444068fd8c83607605a43aa54148f6d9328a5da399e700be2ef86a0c245245952c794487ca1d604ebf1163de10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
485908b1dc04b7caf47e29132763c699

SHA1
0beb05889310281b10ba982b2d82287cf893064b

SHA256
4353db4974e42ba25f0c9b866ba19d8f4ffe277a47b51363189a206dbc50990c

SHA512
5dd1ef6cc79dbea580294d51100823cde59e2ea69e47db71357c5ae8c69df114f076e7941670de92542a690319262556d9498677cae5ea239e3a7b419081d557

Download Submit
memory/3984-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download