7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
Size

1.1MB
MD5

4e32671a0711acaba3491dc6f6831abb
SHA1

b54015af6fe3b41bdd990f1345b29dfc59542099
SHA256

7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12
SHA512

a8d04478efdfde0dbd31aabfc2507c60b3040bf7848836676f493cc4ccaaeb6141e1b5be99e0ef4b50220bb0a6d7ca00c8edead191ed2480e88e7b6ad487c71d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3748	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3748	svchcst.exe
2648	svchcst.exe
3896	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
3748	svchcst.exe
3748	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
3896	svchcst.exe
3896	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4692	60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe	83
PID 60 wrote to memory of 4692	60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe	83
PID 60 wrote to memory of 4692	60	7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe	83
PID 4692 wrote to memory of 3748	4692	WScript.exe	95
PID 4692 wrote to memory of 3748	4692	WScript.exe	95
PID 4692 wrote to memory of 3748	4692	WScript.exe	95
PID 3748 wrote to memory of 4940	3748	svchcst.exe	96
PID 3748 wrote to memory of 4940	3748	svchcst.exe	96
PID 3748 wrote to memory of 4940	3748	svchcst.exe	96
PID 3748 wrote to memory of 2444	3748	svchcst.exe	97
PID 3748 wrote to memory of 2444	3748	svchcst.exe	97
PID 3748 wrote to memory of 2444	3748	svchcst.exe	97
PID 4940 wrote to memory of 2648	4940	WScript.exe	100
PID 4940 wrote to memory of 2648	4940	WScript.exe	100
PID 4940 wrote to memory of 2648	4940	WScript.exe	100
PID 2444 wrote to memory of 3896	2444	WScript.exe	101
PID 2444 wrote to memory of 3896	2444	WScript.exe	101
PID 2444 wrote to memory of 3896	2444	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
"C:\Users\Admin\AppData\Local\Temp\7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
988ed5cdcd279cefc19a4102761b1643

SHA1
d3feea4fb669b63dbbb0d7226160f2af4a218ade

SHA256
4ee952f86b44c14f8bae5225d752acf57922ec39be0a68447c69c442cf11477f

SHA512
8f8147f1d8415fb1d06ea92fc2b73e7b1ce93556d07b46429c91fc0d8cf07dfbf2de9e467cf7ab856bb8bbe6f46029abbc486c7be970d4a9f5acd3b05fe4f513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
67362ea815f762cdce9a985492bf5e04

SHA1
2cc916da60f8d946a346c1cab5cea7743ab0c1d4

SHA256
48fe31891303bd41d21c8ed1c1e55baa2c3207ddccce11ac7532f69b03ef086d

SHA512
65373968a0bf7040055627f8c2908f50e61ae6ef863222799201f1972abd43121647aad90d288692f025ba584dd514f6b1be6b691781214ac59f40b2cb688602

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
40135c2c749fa3579e9e4180ca163b1d

SHA1
0fb3c069540fc1ebfa9c2a859ee89e31d21d5a20

SHA256
c06b2ba7a89f46cd067a97f443db128c3a08807ec1ebc679b88523858f75588d

SHA512
fb8b5973aa092bc81ddd560f900bfa469272e555e9cd972b608a69791d9118decfabddb987e5e2ac81633e5c94e4c18c61ab4bae627353119ad400a29cedac60

Download Submit
memory/60-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/60-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3748-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3748-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3896-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3896-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download