dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605

General

Target

dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
Size

1.1MB
MD5

589863e1364873fa5040635790aaef35
SHA1

9e32135db50d7937fe5a7499676bd49caaf0a45d
SHA256

dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605
SHA512

cdb2744aac0dc2fb3c9d15ae4e91a8a7500e1f9d48e79c058c287d8911f066c86ba659d7a071e77f7cd8920c812fa0e69dc279d23c257fb597553b57fcf62068
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzMp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exeWScript.exedcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1092 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

1092 svchcst.exe
3656 svchcst.exe
3856 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1092	svchcst.exe

pid	process
1092	svchcst.exe
3656	svchcst.exe
3856	svchcst.exe

Modifies registry class 5 IoCs

Processes:

WScript.exedcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exeWScript.exesvchcst.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exesvchcst.exe

pid	process
4796	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
4796	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe

pid process

4796 dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
4796	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
4796	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
1092	svchcst.exe
1092	svchcst.exe
3856	svchcst.exe
3656	svchcst.exe
3856	svchcst.exe
3656	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 4796 wrote to memory of 4684	4796	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe	WScript.exe
PID 4796 wrote to memory of 4684	4796	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe	WScript.exe
PID 4796 wrote to memory of 4684	4796	dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe	WScript.exe
PID 4684 wrote to memory of 1092	4684	WScript.exe	svchcst.exe
PID 4684 wrote to memory of 1092	4684	WScript.exe	svchcst.exe
PID 4684 wrote to memory of 1092	4684	WScript.exe	svchcst.exe
PID 1092 wrote to memory of 4656	1092	svchcst.exe	WScript.exe
PID 1092 wrote to memory of 4656	1092	svchcst.exe	WScript.exe
PID 1092 wrote to memory of 4656	1092	svchcst.exe	WScript.exe
PID 1092 wrote to memory of 2016	1092	svchcst.exe	WScript.exe
PID 1092 wrote to memory of 2016	1092	svchcst.exe	WScript.exe
PID 1092 wrote to memory of 2016	1092	svchcst.exe	WScript.exe
PID 4656 wrote to memory of 3656	4656	WScript.exe	svchcst.exe
PID 4656 wrote to memory of 3656	4656	WScript.exe	svchcst.exe
PID 4656 wrote to memory of 3656	4656	WScript.exe	svchcst.exe
PID 2016 wrote to memory of 3856	2016	WScript.exe	svchcst.exe
PID 2016 wrote to memory of 3856	2016	WScript.exe	svchcst.exe
PID 2016 wrote to memory of 3856	2016	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe
"C:\Users\Admin\AppData\Local\Temp\dcbf55ecf7f43a573714d31e7a16dced2280437ec8b7654f8df132c9fc497605.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3656
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1710940665ed3a9988a9048353716782

SHA1
e06d0b1fd5cf071c460c4967eca20dc6b9af26aa

SHA256
65ede82a5498533ae98bb99c08a9c8b9708980db5652feb20842b7e7d8e0658f

SHA512
137fca7352e47b45aaad2c14d702395e6b14b54b699cd0036a67900e7ce5c3d13c296da742eccbe175cd9e01ec68d6346bc258a9746a8580fd6c4e41371aea8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b90f6ad02c998584bb92c970c0696288

SHA1
ca47b5243a13409597d6fbca2c77b25f3b730e02

SHA256
2ebeb9a665497783b95a590ce6acf16e4a2fb42b9d2bca2c4df87588a0790654

SHA512
d9d7d9fcaeb6048bd6957b97e7d89dcc46546de974aa250d36cdca09b831a5ebc89c274110813796617c6f816a0f2acd65a0c6498641608d31eed1406edc122d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7b1c8d0094c1fa2c272855be64770eba

SHA1
2e535beebcbd3a4f3a2827e257910e7a5efe1761

SHA256
1e3740f8d7822abf7289edce1dc98e641c15407f2509f655a770d8731cc7fab1

SHA512
4d3f5af607e12b4306e7325713d085c3c8a2979c43dea29391830e98f62a5bdb3e3196eef2fd0ef4d720f119caac2b6520f13e9b6f4da47621fa2be8e1b9ecd4

Download Submit
memory/4796-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads