b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
Size

1.1MB
MD5

36ecd31ccf9de49f89ef35d5142d7604
SHA1

7048aea1105dbe612bbb1201798f243715cbb1b7
SHA256

b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5
SHA512

0a6e0075828c3b32f8b5e2149c1927d489641255e5a08a400388db2396ea354d3ad3f5562281f4ec482bd6f2e7dbba101c8dae98b3a72fcb3b50734684546bfb
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QB:acallSllG4ZM7QzMi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4760	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4760	svchcst.exe
3616	svchcst.exe
1828	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe
4760	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
4760	svchcst.exe
4760	svchcst.exe
1828	svchcst.exe
3616	svchcst.exe
3616	svchcst.exe
1828	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 3340	672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe	90
PID 672 wrote to memory of 3340	672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe	90
PID 672 wrote to memory of 3340	672	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe	90
PID 3340 wrote to memory of 4760	3340	WScript.exe	103
PID 3340 wrote to memory of 4760	3340	WScript.exe	103
PID 3340 wrote to memory of 4760	3340	WScript.exe	103
PID 4760 wrote to memory of 4604	4760	svchcst.exe	104
PID 4760 wrote to memory of 4604	4760	svchcst.exe	104
PID 4760 wrote to memory of 4604	4760	svchcst.exe	104
PID 4760 wrote to memory of 1944	4760	svchcst.exe	105
PID 4760 wrote to memory of 1944	4760	svchcst.exe	105
PID 4760 wrote to memory of 1944	4760	svchcst.exe	105
PID 4604 wrote to memory of 3616	4604	WScript.exe	108
PID 4604 wrote to memory of 3616	4604	WScript.exe	108
PID 4604 wrote to memory of 3616	4604	WScript.exe	108
PID 1944 wrote to memory of 1828	1944	WScript.exe	109
PID 1944 wrote to memory of 1828	1944	WScript.exe	109
PID 1944 wrote to memory of 1828	1944	WScript.exe	109

C:\Users\Admin\AppData\Local\Temp\b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
"C:\Users\Admin\AppData\Local\Temp\b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3616
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
80333f29262160f6a62d1c59534d1976

SHA1
2da8151f4d6910fa59382b038115bbaeb4acf31f

SHA256
ae363f480cab6f1a7472fbb7cb9f067cb9b2adf52e57d5952d3726194a2d9e0d

SHA512
57e9e2532a4617314909ffe3eaf5e80dbed0d12e61c3e0dc4e04117281be1951123546eb43548d82da5321c8c64ca64c744016cf8a613dc2aeadeaaa0997a325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c95386df446d8d2e6a71ddaa033656a5

SHA1
1de9ac18b217829d26fa6fb2cb21503ee8ea37e0

SHA256
05b49ba78f08313271cb50967d53c8bf411343870a35785768b8546dae2677e5

SHA512
3c05649c0ce20dfbf20de0a9524db0d8bd0fbc20579a26d79bfd0b0d4275f8dfeb4a2514195cc9feba3c82dc7962f90076d0ee8e41f070e54ec66787366e7b85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6f1bf26edca15cefdbb5fd95beb7df73

SHA1
4ccc27fc41b46d64663e772726f3c3ac4bd875a0

SHA256
c793b9ffe616786cf064e1fa16b39a8cd0b377fe1153f3a7f3666684f0d420e7

SHA512
ef2d27b7db1382991fc3224b392cc77f4cef98e7defb20b79b5e7a74e538b25b213eae316b64babe6e9996771b748881a06995052b5d633dd8e9737786d6b7e7

Download Submit
memory/672-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/672-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3616-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3616-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4760-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4760-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download