c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
Size

1.1MB
MD5

2a4bdd6529c896d7ffdd2e612d2f09e2
SHA1

282f66abdef35ca9dc625f2168fe5aea5043a075
SHA256

c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72
SHA512

8a187ef8bae494fc2f2d1be9b46272d64205237bd0f49d7ecbda5894538975f6b7e5479124a6badd68aeb65cdc2a37e64e47d138b48167b4d74ee2f095e514bc
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Ql:acallSllG4ZM7QzM+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
2548	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
2548	svchcst.exe
4460	svchcst.exe
2792	svchcst.exe
3668	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
2548	svchcst.exe
2548	svchcst.exe
4460	svchcst.exe
4460	svchcst.exe
2792	svchcst.exe
3668	svchcst.exe
3668	svchcst.exe
2792	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4604	4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe	84
PID 4828 wrote to memory of 4604	4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe	84
PID 4828 wrote to memory of 4604	4828	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe	84
PID 4604 wrote to memory of 2548	4604	WScript.exe	96
PID 4604 wrote to memory of 2548	4604	WScript.exe	96
PID 4604 wrote to memory of 2548	4604	WScript.exe	96
PID 2548 wrote to memory of 888	2548	svchcst.exe	97
PID 2548 wrote to memory of 888	2548	svchcst.exe	97
PID 2548 wrote to memory of 888	2548	svchcst.exe	97
PID 2548 wrote to memory of 5044	2548	svchcst.exe	98
PID 2548 wrote to memory of 5044	2548	svchcst.exe	98
PID 2548 wrote to memory of 5044	2548	svchcst.exe	98
PID 5044 wrote to memory of 4460	5044	WScript.exe	101
PID 5044 wrote to memory of 4460	5044	WScript.exe	101
PID 5044 wrote to memory of 4460	5044	WScript.exe	101
PID 4460 wrote to memory of 4812	4460	svchcst.exe	102
PID 4460 wrote to memory of 4812	4460	svchcst.exe	102
PID 4460 wrote to memory of 4812	4460	svchcst.exe	102
PID 4460 wrote to memory of 4688	4460	svchcst.exe	103
PID 4460 wrote to memory of 4688	4460	svchcst.exe	103
PID 4460 wrote to memory of 4688	4460	svchcst.exe	103
PID 4812 wrote to memory of 2792	4812	WScript.exe	104
PID 4812 wrote to memory of 2792	4812	WScript.exe	104
PID 4812 wrote to memory of 2792	4812	WScript.exe	104
PID 4688 wrote to memory of 3668	4688	WScript.exe	105
PID 4688 wrote to memory of 3668	4688	WScript.exe	105
PID 4688 wrote to memory of 3668	4688	WScript.exe	105

C:\Users\Admin\AppData\Local\Temp\c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
"C:\Users\Admin\AppData\Local\Temp\c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:888
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
87fee317ccae77e631a156704a07ccbb

SHA1
64fcac53b2c2e10ff8566853418562c8fd528607

SHA256
8d3084b16fdce60ea25d982172e98f44e01d44d0f0ea5d2f4322f4552ed46cd3

SHA512
84873de2e563c924780a02ca1dd377dbd9400c453c5f55565152a6568c3be0e3d1b6ce1ab6bd750d202f375e4ff097297958c0e498a8dedce74a10f40f5d0ef5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1044c043064e5392972c42ab0a378507

SHA1
208893813b82539ccf9825397fc5393abc255d3d

SHA256
635fb4deedc6954b87eee51e3b567c46d29c5e4954794d73579197d41f77fddc

SHA512
4c13b35fd40fda1db7ccb606b4c630f65000807e188f7b643f5127225e9e2630869810960d4faaaa89980c1ca17ec2efe48bd073dace8c0882ac138239722e61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1dea33fa52a41cb51cfe7984c06ff6f5

SHA1
be5abcc302663a0c594e3b4b6d9decb703b51479

SHA256
339aa97ae88c8b7fb0cae4c87fce791b91819030a60b22668f0419309271d0c5

SHA512
e909ec9269270136ecec8a0d24618be4f8a12e9ab707b5104c628a2fdee2b63b17364a61a6761b5b6d19bf7e592a22e3e4e784225a121a3bc12d74082bf81073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d323d50a2b94d8615c159075c7964513

SHA1
c1d81398aa54a6afb75f922cf6ec4282990bf952

SHA256
c7cc755978485d0a145ea7249d090b3b059a053bde4ddbaf2eac87453b844d31

SHA512
8174f4ee534f317c257b0726b26a480e9070faa18e7c32e88129f56eed62df8dbad4f7d8e45c9b7fe14b219a1a5737295bc17a8f1da7d8a9cc109120420c414e

Download Submit
memory/2548-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2548-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3668-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3668-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4460-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4460-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4828-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4828-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download