c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
Size

1.1MB
MD5

78b52e14fbfe7ef408182a904f1ce54f
SHA1

b0ffdc6c381796b7f614c2219cab062d6d6d06bc
SHA256

c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa
SHA512

7920bee63a78a6e17e3330e78549617936d09f84d8d0901c253553e2a9d5c04fa01a2e008689802e63d8b0f907f487ca1431ee54585667a0a0175e931a216e84
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4552	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2476	svchcst.exe
4552	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe
4552	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
4552	svchcst.exe
4552	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1992	4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	84
PID 4580 wrote to memory of 1856	4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	85
PID 4580 wrote to memory of 1992	4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	84
PID 4580 wrote to memory of 1992	4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	84
PID 4580 wrote to memory of 1856	4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	85
PID 4580 wrote to memory of 1856	4580	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	85
PID 1856 wrote to memory of 2476	1856	WScript.exe	95
PID 1856 wrote to memory of 2476	1856	WScript.exe	95
PID 1856 wrote to memory of 2476	1856	WScript.exe	95
PID 1992 wrote to memory of 4552	1992	WScript.exe	96
PID 1992 wrote to memory of 4552	1992	WScript.exe	96
PID 1992 wrote to memory of 4552	1992	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
"C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
adb696708c926ff9bbf48b75438c7d53

SHA1
969b207cf39151904e761786492e66d3c4771370

SHA256
725f9166d97352722a48918a31d8cbf6d51d78d39d30bdbd07a962cd16dfe039

SHA512
5833ff27153270aae0078b09c063f87b261ed5f3f8b3bb5bed71b2738f3960b91f072e58cb15c7793b1855077f3cc9055c440fa3cb04181a90262333aff04428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
03fb7256a2242d4293d8749d7f121721

SHA1
b5b3a78f2be9c570c1aeb9078ad135190dec70f9

SHA256
15cd338b48030f0ae82978ff832d9b40a0d06e105b300e81b9a8eac93f956e47

SHA512
f5e374ba10876864e1591a5efef6c2a9bf47113cc1dfcbde724b9c046d75b73d522b5aca30220e667b3fa97032b4470b221de451fa17a02606cfa8c946502b7e

Download Submit
memory/4580-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download