e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
Size

1.1MB
MD5

346b006ed1c6db3975fc0d51fc93da79
SHA1

1094ff38618e1b1491e1ad1d0b0fb6b0fdfdf1de
SHA256

e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080
SHA512

c3e799ba81ff91c3ea562fd909902fd17cd414288aa1ee7e4182d66c594ab326589e22e583577c6d3d03816e0ee014910e4b7651e48c6a289f45cd3b7dc63e8f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QV:CcaClSFlG4ZM7QzMe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3964	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3964	svchcst.exe
4952	svchcst.exe
676	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe
3964	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
3964	svchcst.exe
3964	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
676	svchcst.exe
676	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 1500	3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe	86
PID 3236 wrote to memory of 1500	3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe	86
PID 3236 wrote to memory of 1500	3236	e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe	86
PID 1500 wrote to memory of 3964	1500	WScript.exe	102
PID 1500 wrote to memory of 3964	1500	WScript.exe	102
PID 1500 wrote to memory of 3964	1500	WScript.exe	102
PID 3964 wrote to memory of 968	3964	svchcst.exe	103
PID 3964 wrote to memory of 968	3964	svchcst.exe	103
PID 3964 wrote to memory of 968	3964	svchcst.exe	103
PID 3964 wrote to memory of 1340	3964	svchcst.exe	104
PID 3964 wrote to memory of 1340	3964	svchcst.exe	104
PID 3964 wrote to memory of 1340	3964	svchcst.exe	104
PID 1340 wrote to memory of 4952	1340	WScript.exe	107
PID 1340 wrote to memory of 4952	1340	WScript.exe	107
PID 1340 wrote to memory of 4952	1340	WScript.exe	107
PID 968 wrote to memory of 676	968	WScript.exe	108
PID 968 wrote to memory of 676	968	WScript.exe	108
PID 968 wrote to memory of 676	968	WScript.exe	108

C:\Users\Admin\AppData\Local\Temp\e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
"C:\Users\Admin\AppData\Local\Temp\e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
032e21e106737fd3b5930f8be98abbca

SHA1
4e14175a91abcea248d1fe9058560032af78f28f

SHA256
db69167be6f091d296c82a12712353767a19df60003ebc947195dbd74f04ffb4

SHA512
adc1107e151d087a037b8b2dd38c9bd7d3711df2b24f76db38512d3b7c4ece40f5dac589329411077a8a9b4bc11ef15740bb1229ac5b03a40733f23fd91329f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6a01c738ddc7bf7ae706ebf3f7c37416

SHA1
72e4c9d078ba6ed9920fd1e174e5e5c7474cb4f8

SHA256
bdee2907b593fb435d3395a0d29e323d62977e63979fd0bf2125d4aa7c53546f

SHA512
abbd11f67e904c1c7c82b23ff4a24aa5cfefcd21b35274bb5d9346a65213ab83d523aadbf514b5535d20ca6d32af6f7ee77d08e5421d133b471c6423e71fc58d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6b0789f71f831b2df979bc45c2ad5068

SHA1
42f16651ddef3030efbc07713ae4cfd5e1b884cd

SHA256
dd3d0a05605f874a93d1716b38873e9fa149754df8bd6a14322bf8e9554fc14a

SHA512
50459645ec09bda5420a1f907dd70db952ffd29a71d70ee0026a5aa574c7854b6f73efc004650af596c564cab35046bb5d9a94f05edc807a8ffdbd4ef046b78e

Download Submit
memory/3236-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download