10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1

Analysis

max time kernel
137s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
Size

1.1MB
MD5

5666f2fc8a62cb272fe59420d50907d1
SHA1

09b65e423d220d5c85c636ba78249aadc67be8f5
SHA256

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1
SHA512

71129cae2e22df79bd007d0db278ae4453b531fd3fea056973c7ae49ec7884ab44a8584e2a0fd2468a3d12e034cb44abd23ded242c84e03d18b28f96dc117b61
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qo:CcaClSFlG4ZM7QzM/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exesvchcst.exesvchcst.exe10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1296 svchcst.exe
Executes dropped EXE 5 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid process

1296 svchcst.exe
1560 svchcst.exe
2252 svchcst.exe
1392 svchcst.exe
4976 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1296	svchcst.exe

pid	process
1296	svchcst.exe
1560	svchcst.exe
2252	svchcst.exe
1392	svchcst.exe
4976	svchcst.exe

Modifies registry class 11 IoCs

Processes:

WScript.exe10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exesvchcst.exe

pid	process
740	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
740	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe

pid process

740 10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
740	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
740	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
1296	svchcst.exe
1296	svchcst.exe
4388	svchcst.exe
4388	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
1392	svchcst.exe
4976	svchcst.exe
1392	svchcst.exe
4976	svchcst.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exeWScript.exesvchcst.exeWScript.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 740 wrote to memory of 5060	740	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe	WScript.exe
PID 740 wrote to memory of 5060	740	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe	WScript.exe
PID 740 wrote to memory of 5060	740	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe	WScript.exe
PID 5060 wrote to memory of 1296	5060	WScript.exe	svchcst.exe
PID 5060 wrote to memory of 1296	5060	WScript.exe	svchcst.exe
PID 5060 wrote to memory of 1296	5060	WScript.exe	svchcst.exe
PID 1296 wrote to memory of 4216	1296	svchcst.exe	WScript.exe
PID 1296 wrote to memory of 4216	1296	svchcst.exe	WScript.exe
PID 1296 wrote to memory of 4216	1296	svchcst.exe	WScript.exe
PID 4216 wrote to memory of 1560	4216	WScript.exe	svchcst.exe
PID 4216 wrote to memory of 1560	4216	WScript.exe	svchcst.exe
PID 4216 wrote to memory of 1560	4216	WScript.exe	svchcst.exe
PID 2456 wrote to memory of 4388	2456	WScript.exe	svchcst.exe
PID 2456 wrote to memory of 4388	2456	WScript.exe	svchcst.exe
PID 2456 wrote to memory of 4388	2456	WScript.exe	svchcst.exe
PID 4388 wrote to memory of 3508	4388	svchcst.exe	WScript.exe
PID 4388 wrote to memory of 3508	4388	svchcst.exe	WScript.exe
PID 4388 wrote to memory of 3508	4388	svchcst.exe	WScript.exe
PID 4388 wrote to memory of 2184	4388	svchcst.exe	WScript.exe
PID 4388 wrote to memory of 2184	4388	svchcst.exe	WScript.exe
PID 4388 wrote to memory of 2184	4388	svchcst.exe	WScript.exe
PID 2184 wrote to memory of 2252	2184	WScript.exe	svchcst.exe
PID 2184 wrote to memory of 2252	2184	WScript.exe	svchcst.exe
PID 2184 wrote to memory of 2252	2184	WScript.exe	svchcst.exe
PID 2252 wrote to memory of 3504	2252	svchcst.exe	WScript.exe
PID 2252 wrote to memory of 4880	2252	svchcst.exe	WScript.exe
PID 2252 wrote to memory of 3504	2252	svchcst.exe	WScript.exe
PID 2252 wrote to memory of 3504	2252	svchcst.exe	WScript.exe
PID 2252 wrote to memory of 4880	2252	svchcst.exe	WScript.exe
PID 2252 wrote to memory of 4880	2252	svchcst.exe	WScript.exe
PID 3504 wrote to memory of 1392	3504	WScript.exe	svchcst.exe
PID 3504 wrote to memory of 1392	3504	WScript.exe	svchcst.exe
PID 3504 wrote to memory of 1392	3504	WScript.exe	svchcst.exe
PID 4880 wrote to memory of 4976	4880	WScript.exe	svchcst.exe
PID 4880 wrote to memory of 4976	4880	WScript.exe	svchcst.exe
PID 4880 wrote to memory of 4976	4880	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
"C:\Users\Admin\AppData\Local\Temp\10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1560
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
30e15386d11e9b1815de025d086ed6f6

SHA1
a11b01bcee34048c87aefe805a286d651f67d201

SHA256
97424bac167d3f23ab7a637573371a68fd1e14837a87b86266dfdc37755f2179

SHA512
5c0388a9b13b4dd1a99e945bbe58a4891f750a3ad623e41f2ca1fe13fdd6d369e9cf6401c5d41b92f036440bb10b8ae8cc9aea2cea2097ace3d962f087b101ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d9f501b161046663488cf14cd240448f

SHA1
8bd268dd620bc58cf5c77df528b64d234894c141

SHA256
fdc9c3c64663b52aef5694e819e7ed04527da985b9cca1eda703f48464e6a1a0

SHA512
9a4d017e1e9628beb75d912f8029bf01b543a76f0bc8b08fe85f0ea8239242d2804473e36085e760732adf4d715af16de51485d81148cadc4ecb4c14fda63b70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e344eeee00e79df017a52b54a73cd75c

SHA1
1f69a4c5a4497faf44f9ea52a9ca96c4a6c4e997

SHA256
469383079fd2814e85096b8323ffdda0ccf6a94910c4b1550565062d978668d1

SHA512
96590d9763fa5804861438a7bc9b04e2dac7806fdb5fac1787d898974c00de3d5116bd4ab51b949f3ee773ac82783c11cb441fca3971259b09aca2a50cc328d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
26269366b4e6aba04df8ed93697bc7f2

SHA1
8b699e09ae71228cbc618bf29db52d2bea232ec4

SHA256
5eefa06f8fc69250046919c90bd17450baaa42b02a527c58b15eafee5724f975

SHA512
e112ac34b7d9d25ded05057eb5fe2856a173fcc83128de922f261ab67620a4d41463c77176591579bd4818f2332af1bad8342cf788f70e4b8df2d1539ecbe879

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5fb57e872a47f447591902c868ca4134

SHA1
85d3959bb56c851387922cc925a7a9efb85250ff

SHA256
8c1a3f41605dcaca07786427e280aba3728008a52746fb4b8b90f640a59cf399

SHA512
b34f96b39e7c57365114c2fe09e9c690a62e7550516dae0d244b0263cf41013816e89650c62a2a5e8cf53a76b44c6ff139eaa5235dddfe45d29cede4c23f2ae7

Download Submit
memory/740-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download