b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49

General

Target

b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
Size

1.1MB
MD5

f52fe11c4bce7147a8ee6ef67218b00b
SHA1

418492ccf8b82e5521813e1e5c9267b540de5229
SHA256

b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49
SHA512

256ec3999b6e25cb244056ecc386421fb817e1e86c2c7b93f331f925bb90f95bd80b57b844c85ac9d27291c5e8d15d8c41f041be91ff58c753edd9b8d4ffe839
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q2:CcaClSFlG4ZM7QzMd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exeWScript.exesvchcst.exeWScript.exeWScript.exeb29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2884 svchcst.exe
Executes dropped EXE 4 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid process

2884 svchcst.exe
2068 svchcst.exe
380 svchcst.exe
4348 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2884	svchcst.exe

pid	process
2884	svchcst.exe
2068	svchcst.exe
380	svchcst.exe
4348	svchcst.exe

Modifies registry class 8 IoCs

Processes:

WScript.exeWScript.exeb29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exeWScript.exesvchcst.exeWScript.exeWScript.exesvchcst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exesvchcst.exe

pid	process
2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe

pid process

2504 b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
2884	svchcst.exe
2884	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
4348	svchcst.exe
4348	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2504 wrote to memory of 4396	2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe	WScript.exe
PID 2504 wrote to memory of 4396	2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe	WScript.exe
PID 2504 wrote to memory of 4396	2504	b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe	WScript.exe
PID 4396 wrote to memory of 2884	4396	WScript.exe	svchcst.exe
PID 4396 wrote to memory of 2884	4396	WScript.exe	svchcst.exe
PID 4396 wrote to memory of 2884	4396	WScript.exe	svchcst.exe
PID 2884 wrote to memory of 4816	2884	svchcst.exe	WScript.exe
PID 2884 wrote to memory of 4816	2884	svchcst.exe	WScript.exe
PID 2884 wrote to memory of 4816	2884	svchcst.exe	WScript.exe
PID 2884 wrote to memory of 1920	2884	svchcst.exe	WScript.exe
PID 2884 wrote to memory of 1920	2884	svchcst.exe	WScript.exe
PID 2884 wrote to memory of 1920	2884	svchcst.exe	WScript.exe
PID 4816 wrote to memory of 2068	4816	WScript.exe	svchcst.exe
PID 4816 wrote to memory of 2068	4816	WScript.exe	svchcst.exe
PID 4816 wrote to memory of 2068	4816	WScript.exe	svchcst.exe
PID 2068 wrote to memory of 884	2068	svchcst.exe	WScript.exe
PID 2068 wrote to memory of 884	2068	svchcst.exe	WScript.exe
PID 2068 wrote to memory of 884	2068	svchcst.exe	WScript.exe
PID 2068 wrote to memory of 3656	2068	svchcst.exe	WScript.exe
PID 2068 wrote to memory of 3656	2068	svchcst.exe	WScript.exe
PID 2068 wrote to memory of 3656	2068	svchcst.exe	WScript.exe
PID 3656 wrote to memory of 380	3656	WScript.exe	svchcst.exe
PID 3656 wrote to memory of 380	3656	WScript.exe	svchcst.exe
PID 3656 wrote to memory of 380	3656	WScript.exe	svchcst.exe
PID 884 wrote to memory of 4348	884	WScript.exe	svchcst.exe
PID 884 wrote to memory of 4348	884	WScript.exe	svchcst.exe
PID 884 wrote to memory of 4348	884	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe
"C:\Users\Admin\AppData\Local\Temp\b29f475ff9973b9540c42126f99c37e35c5a1017ce14d4dbe7ecddb9a3c8be49.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4348
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        
        PID:380
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b0ad2d67fd5e3c61f5b7146407120c86

SHA1
c74d0ebde5d90251a84c50821f40e525678f98b0

SHA256
da56d4699dadd75e18e4297c6da6efab9d746238ea8c4c60d463c629a5cf9538

SHA512
ddc18e7778756d30940c6105e1dc28c9e43478c4a090b34acf6583deb2c2a486768f8954f3268c21ad61518fa414e5317e17028c83149cca785e583cb7427e6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
46fa591a80915c680ccdf3bc0793b561

SHA1
5c010431e4334732cd3dc71b8de0597a3f71a64e

SHA256
1b8a5ee4cd60a9d9fe4d5c17870d87bfc7b8976d44a00362a1e642db7a2125fd

SHA512
570b9869e01b32d69cbe66845f9097d0c351d5373ffb25fe35450c23847415b613876f29454ceb73e2efdd123679839862a5a155616409e3e3b118b2cf867d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9c49c6b47e14a8b714deca178da8b4f9

SHA1
e9d16ee192ff4293a7708615ff3257c8d8797fc8

SHA256
0a4bb623aab91e41fe3d444ed049d48570c6e418f645b671e6c027ff7ff51393

SHA512
450aa3955379172ce2e9f299da7395dbd02edf2fd3aaaa9d3db8195fc09fe2bd653bcb973a16373ceffba974f4fcf917ac0ca9dedd90282b85310e9cf0f17563

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
03cc4fbb410c6b284ee9e0821ebf4364

SHA1
0f1862f0f40caccee1d0828b5f173c63391df8aa

SHA256
484002468e2b633a66110b2d41d64c87f3c5852887910269361bdc769e4d21dd

SHA512
2cc6966b799743b12e6408121c2b171c3e99649ad539ee82c2f44923488ed88a006d7d38d836983c3d1e723d73eab30d4b9d0bc223ef4794fef98028b23d60fa

Download Submit
memory/2504-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads