2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f

General

Target

2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
Size

1.1MB
MD5

b9c5f2c38f6bddd508b7594f2d5e5539
SHA1

315dafa3a739d95c478e449c764bf4ea0b642deb
SHA256

2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f
SHA512

7741abcd835367282573a370b863407a7e4f9d17e945c959349850aef6597606934a360c7bd19f95aeb1034792b33c015cecaca1efa12f9991f56ab9e8eea013
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzMY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

3488 svchcst.exe
Executes dropped EXE 4 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid process

3488 svchcst.exe
4952 svchcst.exe
2172 svchcst.exe
4272 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3488	svchcst.exe

pid	process
3488	svchcst.exe
4952	svchcst.exe
2172	svchcst.exe
4272	svchcst.exe

Modifies registry class 7 IoCs

Processes:

svchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exesvchcst.exe

pid	process
1552	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
1552	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe
3488	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe

pid process

1552 2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1552	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
1552	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
3488	svchcst.exe
3488	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
4272	svchcst.exe
4272	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1552 wrote to memory of 4876	1552	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe	WScript.exe
PID 1552 wrote to memory of 4876	1552	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe	WScript.exe
PID 1552 wrote to memory of 4876	1552	2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe	WScript.exe
PID 4876 wrote to memory of 3488	4876	WScript.exe	svchcst.exe
PID 4876 wrote to memory of 3488	4876	WScript.exe	svchcst.exe
PID 4876 wrote to memory of 3488	4876	WScript.exe	svchcst.exe
PID 3488 wrote to memory of 3180	3488	svchcst.exe	WScript.exe
PID 3488 wrote to memory of 3180	3488	svchcst.exe	WScript.exe
PID 3488 wrote to memory of 3180	3488	svchcst.exe	WScript.exe
PID 3180 wrote to memory of 4952	3180	WScript.exe	svchcst.exe
PID 3180 wrote to memory of 4952	3180	WScript.exe	svchcst.exe
PID 3180 wrote to memory of 4952	3180	WScript.exe	svchcst.exe
PID 4952 wrote to memory of 3756	4952	svchcst.exe	WScript.exe
PID 4952 wrote to memory of 3756	4952	svchcst.exe	WScript.exe
PID 4952 wrote to memory of 3756	4952	svchcst.exe	WScript.exe
PID 4952 wrote to memory of 2256	4952	svchcst.exe	WScript.exe
PID 4952 wrote to memory of 2256	4952	svchcst.exe	WScript.exe
PID 4952 wrote to memory of 2256	4952	svchcst.exe	WScript.exe
PID 2256 wrote to memory of 2172	2256	WScript.exe	svchcst.exe
PID 2256 wrote to memory of 2172	2256	WScript.exe	svchcst.exe
PID 2256 wrote to memory of 2172	2256	WScript.exe	svchcst.exe
PID 3756 wrote to memory of 4272	3756	WScript.exe	svchcst.exe
PID 3756 wrote to memory of 4272	3756	WScript.exe	svchcst.exe
PID 3756 wrote to memory of 4272	3756	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe
"C:\Users\Admin\AppData\Local\Temp\2f77af1f90257336b3428e3c18698658ebb650830256a3d4c6ac0e0940666d8f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e82690634fee4ce28a31a975701de9e5

SHA1
2e7ec68d0be582119de7a480e41522278260babf

SHA256
d69e16b912778212414268dde230aaddc420325997fa6c92390b134cb3a1501f

SHA512
4042cf527443e400d2f63ea31f6f4d96ef3faf94ed2229e8dcc7bae5386c2d73813b14b4c0f6e6114d5ff4870f6834c71d3bc7231b34751ceb2fc9c74f7e8568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
03399b5aecbc3a249763472027e020dc

SHA1
1f1c891f1b398ae4ffc061b0c454ed1c38042d8c

SHA256
719ae95c59e5eb182d29f09249c4e424b12f07f4ecc5598147b0555b9f4b4808

SHA512
4966747a2c67a730ccc0d0e3b507e886e1c19e6b0383ea3573921392b8b3d9cc203f73585eee88956056a45e9085d6c5e16e937041858bac7a5c6681c222641e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d21316c836521f6b518b832b6c80c23f

SHA1
ea8d1d046761ee966de1be0c00758ee77660d863

SHA256
0fc44e7018d757be0aa4561789cdfc40079bec5c42750cf0eb11f0488450639d

SHA512
17c66c109faeb2e66c1432296548e3dd3b933f75d59fc4577002b1aae72a12f44baf21ad9ee7b9922e308642f64a5bc73a5e9e612ed106e831fc4c31a22c8a22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9592c8baa8743a99e048fbb48e3c84e4

SHA1
3c0974675ab73118cade5759e553c3199d612fe5

SHA256
b8116e6612a03e0c4ec6de6aad6286a665ebaabc2c1db231ae0c04f2ec758e04

SHA512
ca6a0e80b88b4c6d512c76b85153619864c48d06781e91133d20184dc65a742fde4b402824f3a3265ccf89a6e559bf225838abaabb5dab21c1d1712b876d7ad8

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1552-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads