55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
Size

1.1MB
MD5

949ec719f87c42e1d250fc7e973e7836
SHA1

9d11d94a66b8cce05addb99b8634640288e78a37
SHA256

55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa
SHA512

5c13b3abb6181718cfde190258794ed3bc27c3c5d2071b2c9628264076b5afc52f82579af11f45254db925eb6bdf55d95e536a9a0d881957d934be69311347bf
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QB:acallSllG4ZM7QzMy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1408	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1408	svchcst.exe
1412	svchcst.exe
2492	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
1408	svchcst.exe
1408	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4756	4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe	83
PID 4684 wrote to memory of 4756	4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe	83
PID 4684 wrote to memory of 4756	4684	55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe	83
PID 4756 wrote to memory of 1408	4756	WScript.exe	95
PID 4756 wrote to memory of 1408	4756	WScript.exe	95
PID 4756 wrote to memory of 1408	4756	WScript.exe	95
PID 1408 wrote to memory of 4704	1408	svchcst.exe	96
PID 1408 wrote to memory of 4704	1408	svchcst.exe	96
PID 1408 wrote to memory of 4704	1408	svchcst.exe	96
PID 1408 wrote to memory of 3964	1408	svchcst.exe	97
PID 1408 wrote to memory of 3964	1408	svchcst.exe	97
PID 1408 wrote to memory of 3964	1408	svchcst.exe	97
PID 3964 wrote to memory of 1412	3964	WScript.exe	100
PID 3964 wrote to memory of 1412	3964	WScript.exe	100
PID 3964 wrote to memory of 1412	3964	WScript.exe	100
PID 4704 wrote to memory of 2492	4704	WScript.exe	101
PID 4704 wrote to memory of 2492	4704	WScript.exe	101
PID 4704 wrote to memory of 2492	4704	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe
"C:\Users\Admin\AppData\Local\Temp\55081f4720fd1404ce6b2a5f703da4ddb1cc41d60af5407b4ef42182c2d59eaa.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9dacce1a48c9d12afe3831bb7a7695c6

SHA1
1a525c3989f57c6a99fc835a96848a8e6330fca4

SHA256
bf7244073201613c1775e4121e2a074defaf509d9280dafb0789c30d7c2ec92f

SHA512
1516625256f65e7163d0aeb39446b535a22956ec0ba974195ccb2da97ad06290886695a9d9ba2403225ecf74095568094d6e6a3adb91bfbdca95a0102164c28c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e32794ca3d1212b276bbe19e5b846a3d

SHA1
955cc8bab2009563bbc1969c7046e3195d9b369e

SHA256
b1170b8645729955ef5e44703824ac8c822603f0f7023d6593061e3d48459e9e

SHA512
e0073cc84079527cf4c96ae87666a29e9a7f8df3cfb625dc47db904751632918c71ae521cb03bf380c30ffe84a996888f17ad92169c13fd14003e85d12ceb67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
50e25422f662e2f93ce42d234c2a3ec8

SHA1
e29d97277495464fbb9f33c0da033c6512f340bf

SHA256
2caab65cf174b1761728926d9c91127073494db3c5e0234cd95bb17c79e2f3e3

SHA512
3b811d1bc029607f425c6f22db60e2534a644e5696babb4abeaa41ebc6e10483ab11a82ff2804a2b2c38df53b7be436c205ec3bc0c67a62ff7b5419884cceb52

Download Submit
memory/1408-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4684-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4684-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download