5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe
Size

1.1MB
MD5

07988e6eaa43616bdcde45d4e72fb17b
SHA1

7b4a662c951c7887fde4fb99c058df87325b8452
SHA256

5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66
SHA512

a87d5c6df2c233503c02990699e9a70cb7fe13502283a7906310b29ae362f7cd40d009f8d29fa849eca5d6009d4525896df2a5f1029e86e4cec6f4613dda4a10
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qt:acallSllG4ZM7QzMW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1200 svchcst.exe
Executes dropped EXE 6 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid process

1200 svchcst.exe
2568 svchcst.exe
768 svchcst.exe
1832 svchcst.exe
112 svchcst.exe
1492 svchcst.exe
Loads dropped DLL 8 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid process

3048 WScript.exe
3048 WScript.exe
2540 WScript.exe
2540 WScript.exe
2716 WScript.exe
2772 WScript.exe
2896 WScript.exe
2772 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1200	svchcst.exe

pid	process
1200	svchcst.exe
2568	svchcst.exe
768	svchcst.exe
1832	svchcst.exe
112	svchcst.exe
1492	svchcst.exe

pid	process
3048	WScript.exe
3048	WScript.exe
2540	WScript.exe
2540	WScript.exe
2716	WScript.exe
2772	WScript.exe
2896	WScript.exe
2772	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exesvchcst.exesvchcst.exe

pid	process
1804	5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe

pid process

1804 5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1804	5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe
1804	5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe
1200	svchcst.exe
1200	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
768	svchcst.exe
768	svchcst.exe
1832	svchcst.exe
1832	svchcst.exe
112	svchcst.exe
112	svchcst.exe
1492	svchcst.exe
1492	svchcst.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 1804 wrote to memory of 3048	1804	5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe	WScript.exe
PID 1804 wrote to memory of 3048	1804	5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe	WScript.exe
PID 1804 wrote to memory of 3048	1804	5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe	WScript.exe
PID 1804 wrote to memory of 3048	1804	5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe	WScript.exe
PID 3048 wrote to memory of 1200	3048	WScript.exe	svchcst.exe
PID 3048 wrote to memory of 1200	3048	WScript.exe	svchcst.exe
PID 3048 wrote to memory of 1200	3048	WScript.exe	svchcst.exe
PID 3048 wrote to memory of 1200	3048	WScript.exe	svchcst.exe
PID 1200 wrote to memory of 2540	1200	svchcst.exe	WScript.exe
PID 1200 wrote to memory of 2540	1200	svchcst.exe	WScript.exe
PID 1200 wrote to memory of 2540	1200	svchcst.exe	WScript.exe
PID 1200 wrote to memory of 2540	1200	svchcst.exe	WScript.exe
PID 2540 wrote to memory of 2568	2540	WScript.exe	svchcst.exe
PID 2540 wrote to memory of 2568	2540	WScript.exe	svchcst.exe
PID 2540 wrote to memory of 2568	2540	WScript.exe	svchcst.exe
PID 2540 wrote to memory of 2568	2540	WScript.exe	svchcst.exe
PID 2568 wrote to memory of 2716	2568	svchcst.exe	WScript.exe
PID 2568 wrote to memory of 2716	2568	svchcst.exe	WScript.exe
PID 2568 wrote to memory of 2716	2568	svchcst.exe	WScript.exe
PID 2568 wrote to memory of 2716	2568	svchcst.exe	WScript.exe
PID 2716 wrote to memory of 768	2716	WScript.exe	svchcst.exe
PID 2716 wrote to memory of 768	2716	WScript.exe	svchcst.exe
PID 2716 wrote to memory of 768	2716	WScript.exe	svchcst.exe
PID 2716 wrote to memory of 768	2716	WScript.exe	svchcst.exe
PID 768 wrote to memory of 2772	768	svchcst.exe	WScript.exe
PID 768 wrote to memory of 2772	768	svchcst.exe	WScript.exe
PID 768 wrote to memory of 2772	768	svchcst.exe	WScript.exe
PID 768 wrote to memory of 2772	768	svchcst.exe	WScript.exe
PID 2772 wrote to memory of 1832	2772	WScript.exe	svchcst.exe
PID 2772 wrote to memory of 1832	2772	WScript.exe	svchcst.exe
PID 2772 wrote to memory of 1832	2772	WScript.exe	svchcst.exe
PID 2772 wrote to memory of 1832	2772	WScript.exe	svchcst.exe
PID 1832 wrote to memory of 2896	1832	svchcst.exe	WScript.exe
PID 1832 wrote to memory of 2896	1832	svchcst.exe	WScript.exe
PID 1832 wrote to memory of 2896	1832	svchcst.exe	WScript.exe
PID 1832 wrote to memory of 2896	1832	svchcst.exe	WScript.exe
PID 2896 wrote to memory of 112	2896	WScript.exe	svchcst.exe
PID 2896 wrote to memory of 112	2896	WScript.exe	svchcst.exe
PID 2896 wrote to memory of 112	2896	WScript.exe	svchcst.exe
PID 2896 wrote to memory of 112	2896	WScript.exe	svchcst.exe
PID 2772 wrote to memory of 1492	2772	WScript.exe	svchcst.exe
PID 2772 wrote to memory of 1492	2772	WScript.exe	svchcst.exe
PID 2772 wrote to memory of 1492	2772	WScript.exe	svchcst.exe
PID 2772 wrote to memory of 1492	2772	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe
"C:\Users\Admin\AppData\Local\Temp\5fe489ecf0414c8a67d43224c92a027920d534b4bf37ff5c4aa67519637ace66.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
293b23504d5e8800cf9d507cc8a63665

SHA1
2b213b4b8935805f4deb27f7e2cb1d1aeb51f541

SHA256
c7b6619c105f62a895e5dc90bc5d45812ef1a0a3cb5fa08979a265b72079d817

SHA512
2a4718010296414766ca237e8428ac10e9c4618c7f00b371a8affe228c4698ddbf61d9b3ae29b2e429149179f00d1565e765ca2699f9f050102319b5cf5defba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
50fad882d710fa132c3b66cf6f204afa

SHA1
3e037041aa5271a0582ebc1db1d42fa801177a0e

SHA256
d5a57265b70e5590cce17bd51b7693189be59f7e03676d5bab5157ad526de465

SHA512
f831596e7cb19d17bf87ed0b3f51f1be71dcfe77c9452957cdb7878546523e23b377e930abfd53ed48ca8de84490d27f532820e44c2181d200e68cc48097343c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
241adebb68fe83b159d113f3b73b90c6

SHA1
ec2ebc8742aebba14f8deaaa215f5bb9218489b7

SHA256
7e7338568be5c3389b36d12e6721ff6ea3993a8fd5ec381adf29d904ffa24b72

SHA512
9ef108ca58bcca822bfa1de2dc45e94bd669f8db8852bea0b497c6ae2be692e50e859b205a185912b925863af11f70d2705755bd5fed6e0d0fd6d0a4f861071c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/112-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/768-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/768-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1832-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1832-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-70-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download