7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
Size

1.1MB
MD5

4e32671a0711acaba3491dc6f6831abb
SHA1

b54015af6fe3b41bdd990f1345b29dfc59542099
SHA256

7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12
SHA512

a8d04478efdfde0dbd31aabfc2507c60b3040bf7848836676f493cc4ccaaeb6141e1b5be99e0ef4b50220bb0a6d7ca00c8edead191ed2480e88e7b6ad487c71d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2428	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2428	svchcst.exe
772	svchcst.exe
2324	svchcst.exe
1372	svchcst.exe
2592	svchcst.exe
2880	svchcst.exe
1308	svchcst.exe
1936	svchcst.exe
2660	svchcst.exe
2424	svchcst.exe
1860	svchcst.exe
1752	svchcst.exe
1704	svchcst.exe
1912	svchcst.exe
2784	svchcst.exe
2948	svchcst.exe
3056	svchcst.exe
2620	svchcst.exe
1564	svchcst.exe
776	svchcst.exe
1276	svchcst.exe
2768	svchcst.exe
1412	svchcst.exe
1232	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2560	WScript.exe
2560	WScript.exe
2180	WScript.exe
1588	WScript.exe
1588	WScript.exe
272	WScript.exe
272	WScript.exe
276	WScript.exe
276	WScript.exe
276	WScript.exe
276	WScript.exe
2872	WScript.exe
2532	WScript.exe
2532	WScript.exe
2532	WScript.exe
1676	WScript.exe
1280	WScript.exe
1280	WScript.exe
1280	WScript.exe
928	WScript.exe
928	WScript.exe
2292	WScript.exe
2292	WScript.exe
2628	WScript.exe
2628	WScript.exe
2476	WScript.exe
2476	WScript.exe
808	WScript.exe
808	WScript.exe
340	WScript.exe
340	WScript.exe
1760	WScript.exe
1760	WScript.exe
2720	WScript.exe
2720	WScript.exe
1468	WScript.exe
1468	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
772	svchcst.exe
772	svchcst.exe
772	svchcst.exe
772	svchcst.exe
772	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
2428	svchcst.exe
2428	svchcst.exe
772	svchcst.exe
772	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
1308	svchcst.exe
1308	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
776	svchcst.exe
776	svchcst.exe
1276	svchcst.exe
1276	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2560	2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe	28
PID 2252 wrote to memory of 2560	2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe	28
PID 2252 wrote to memory of 2560	2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe	28
PID 2252 wrote to memory of 2560	2252	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe	28
PID 2560 wrote to memory of 2428	2560	WScript.exe	30
PID 2560 wrote to memory of 2428	2560	WScript.exe	30
PID 2560 wrote to memory of 2428	2560	WScript.exe	30
PID 2560 wrote to memory of 2428	2560	WScript.exe	30
PID 2428 wrote to memory of 2180	2428	svchcst.exe	31
PID 2428 wrote to memory of 2180	2428	svchcst.exe	31
PID 2428 wrote to memory of 2180	2428	svchcst.exe	31
PID 2428 wrote to memory of 2180	2428	svchcst.exe	31
PID 2180 wrote to memory of 772	2180	WScript.exe	32
PID 2180 wrote to memory of 772	2180	WScript.exe	32
PID 2180 wrote to memory of 772	2180	WScript.exe	32
PID 2180 wrote to memory of 772	2180	WScript.exe	32
PID 772 wrote to memory of 1588	772	svchcst.exe	33
PID 772 wrote to memory of 1588	772	svchcst.exe	33
PID 772 wrote to memory of 1588	772	svchcst.exe	33
PID 772 wrote to memory of 1588	772	svchcst.exe	33
PID 1588 wrote to memory of 2324	1588	WScript.exe	34
PID 1588 wrote to memory of 2324	1588	WScript.exe	34
PID 1588 wrote to memory of 2324	1588	WScript.exe	34
PID 1588 wrote to memory of 2324	1588	WScript.exe	34
PID 2324 wrote to memory of 556	2324	svchcst.exe	35
PID 2324 wrote to memory of 556	2324	svchcst.exe	35
PID 2324 wrote to memory of 556	2324	svchcst.exe	35
PID 2324 wrote to memory of 556	2324	svchcst.exe	35
PID 1588 wrote to memory of 1372	1588	WScript.exe	36
PID 1588 wrote to memory of 1372	1588	WScript.exe	36
PID 1588 wrote to memory of 1372	1588	WScript.exe	36
PID 1588 wrote to memory of 1372	1588	WScript.exe	36
PID 1372 wrote to memory of 272	1372	svchcst.exe	37
PID 1372 wrote to memory of 272	1372	svchcst.exe	37
PID 1372 wrote to memory of 272	1372	svchcst.exe	37
PID 1372 wrote to memory of 272	1372	svchcst.exe	37
PID 272 wrote to memory of 2592	272	WScript.exe	38
PID 272 wrote to memory of 2592	272	WScript.exe	38
PID 272 wrote to memory of 2592	272	WScript.exe	38
PID 272 wrote to memory of 2592	272	WScript.exe	38
PID 2592 wrote to memory of 276	2592	svchcst.exe	39
PID 2592 wrote to memory of 276	2592	svchcst.exe	39
PID 2592 wrote to memory of 276	2592	svchcst.exe	39
PID 2592 wrote to memory of 276	2592	svchcst.exe	39
PID 272 wrote to memory of 2880	272	WScript.exe	40
PID 272 wrote to memory of 2880	272	WScript.exe	40
PID 272 wrote to memory of 2880	272	WScript.exe	40
PID 272 wrote to memory of 2880	272	WScript.exe	40
PID 276 wrote to memory of 1308	276	WScript.exe	41
PID 276 wrote to memory of 1308	276	WScript.exe	41
PID 276 wrote to memory of 1308	276	WScript.exe	41
PID 276 wrote to memory of 1308	276	WScript.exe	41
PID 2880 wrote to memory of 3036	2880	svchcst.exe	42
PID 2880 wrote to memory of 3036	2880	svchcst.exe	42
PID 2880 wrote to memory of 3036	2880	svchcst.exe	42
PID 2880 wrote to memory of 3036	2880	svchcst.exe	42
PID 276 wrote to memory of 1936	276	WScript.exe	45
PID 276 wrote to memory of 1936	276	WScript.exe	45
PID 276 wrote to memory of 1936	276	WScript.exe	45
PID 276 wrote to memory of 1936	276	WScript.exe	45
PID 1936 wrote to memory of 2168	1936	svchcst.exe	46
PID 1936 wrote to memory of 2168	1936	svchcst.exe	46
PID 1936 wrote to memory of 2168	1936	svchcst.exe	46
PID 1936 wrote to memory of 2168	1936	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
"C:\Users\Admin\AppData\Local\Temp\7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ab2d80c82df74c14a30f5ace542dfe5a

SHA1
1b00a090ea1562f75ec3869ce4be5fbcc2638ccc

SHA256
e53d6abb84b51987cb68402996d5b66c1de838404d12924d517680cba90dbdcc

SHA512
cf205d8c104106cef1688e7db02a437060f012fb4d672b004782be96cd38ae6d3e7e609d8ffa7823fd4fe81bead745b285b9c0fd769be6b289c9b028890fc229

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f578ab600288cfd8d3edfe4505f7a866

SHA1
bcb794f61fecca85524bb700fac2530c14aa3699

SHA256
692efb4884b9cc2a8600e2ebb05291a90b2b2c67bfd6399fa13581c9a26eeb21

SHA512
a3f90be9805966c8122561a2576fb3313ae6b912a3e83a96215cd99417ba060e83614868e95e430ad31fb4323689053111fbdba14d8756b76a3edc0bad48c77c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
37e185c38e545bb173b5d39d609b83ed

SHA1
6edcd74b7134f2daa142216aa5970baeb2368779

SHA256
094db63a5ec2cde69380a09062a5762fefbf7c75623ca794c74a7b9ac1f1b014

SHA512
57ee9277da6e559e751c7aef46118cc3dd1122b7d64723b9d6f66cec73fe7ffb9215d9ef06b99649a1176f3768a082957de7b9ae91428df7d7822ae3033b2b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e8e071f152204533c10ae07ad16e12f4

SHA1
4236f6a96b27173646d2b220155913340e4bc5b0

SHA256
4a6e99ce6180d9360b682bb8572883a85f06d2a8c96e1a08f259ee4c32a9f01d

SHA512
21c379c6ed04eb5dd455e16c86804df2d8084cff284427faed7ba0a7701f55de498437f292582d1898a499b299f407392eefd736293b29dd6576a9a6db42520a

Download Submit
memory/276-78-0x0000000005DB0000-0x0000000005F0F000-memory.dmp

Filesize
1.4MB

Download
memory/276-135-0x0000000005DB0000-0x0000000005F0F000-memory.dmp

Filesize
1.4MB

Download
memory/340-220-0x0000000005B80000-0x0000000005CDF000-memory.dmp

Filesize
1.4MB

Download
memory/772-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/772-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/776-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/776-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/808-211-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/808-210-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/928-201-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/1232-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1276-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1276-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1280-192-0x0000000005CB0000-0x0000000005E0F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1752-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1752-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-231-0x0000000004870000-0x00000000049CF000-memory.dmp

Filesize
1.4MB

Download
memory/1760-230-0x0000000004870000-0x00000000049CF000-memory.dmp

Filesize
1.4MB

Download
memory/1860-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-136-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/2532-137-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/2560-14-0x0000000004430000-0x000000000458F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2628-221-0x0000000004210000-0x000000000436F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-240-0x00000000042A0000-0x00000000043FF000-memory.dmp

Filesize
1.4MB

Download
memory/2720-241-0x00000000042A0000-0x00000000043FF000-memory.dmp

Filesize
1.4MB

Download
memory/2768-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download