Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 21:18
Static task
static1
Behavioral task
behavioral1
Sample
c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
Resource
win10v2004-20240508-en
General
-
Target
c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
-
Size
1.1MB
-
MD5
78b52e14fbfe7ef408182a904f1ce54f
-
SHA1
b0ffdc6c381796b7f614c2219cab062d6d6d06bc
-
SHA256
c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa
-
SHA512
7920bee63a78a6e17e3330e78549617936d09f84d8d0901c253553e2a9d5c04fa01a2e008689802e63d8b0f907f487ca1431ee54585667a0a0175e931a216e84
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 4552 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 2476 svchcst.exe 4552 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe 4552 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 4552 svchcst.exe 4552 svchcst.exe 2476 svchcst.exe 2476 svchcst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4580 wrote to memory of 1992 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 84 PID 4580 wrote to memory of 1856 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 85 PID 4580 wrote to memory of 1992 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 84 PID 4580 wrote to memory of 1992 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 84 PID 4580 wrote to memory of 1856 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 85 PID 4580 wrote to memory of 1856 4580 c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe 85 PID 1856 wrote to memory of 2476 1856 WScript.exe 95 PID 1856 wrote to memory of 2476 1856 WScript.exe 95 PID 1856 wrote to memory of 2476 1856 WScript.exe 95 PID 1992 wrote to memory of 4552 1992 WScript.exe 96 PID 1992 wrote to memory of 4552 1992 WScript.exe 96 PID 1992 wrote to memory of 4552 1992 WScript.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe"C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4552
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD5adb696708c926ff9bbf48b75438c7d53
SHA1969b207cf39151904e761786492e66d3c4771370
SHA256725f9166d97352722a48918a31d8cbf6d51d78d39d30bdbd07a962cd16dfe039
SHA5125833ff27153270aae0078b09c063f87b261ed5f3f8b3bb5bed71b2738f3960b91f072e58cb15c7793b1855077f3cc9055c440fa3cb04181a90262333aff04428
-
Filesize
1.1MB
MD503fb7256a2242d4293d8749d7f121721
SHA1b5b3a78f2be9c570c1aeb9078ad135190dec70f9
SHA25615cd338b48030f0ae82978ff832d9b40a0d06e105b300e81b9a8eac93f956e47
SHA512f5e374ba10876864e1591a5efef6c2a9bf47113cc1dfcbde724b9c046d75b73d522b5aca30220e667b3fa97032b4470b221de451fa17a02606cfa8c946502b7e