2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 21:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe
Size

1.1MB
MD5

f8c9bf657b96e4ba11bf5f748e447d50
SHA1

db15556f44b4fd5d0a0c852269de7c707d3e217f
SHA256

2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364
SHA512

9b9061ebd49ccba2ffe375358b15e89c384fb151108b0eefaa8c2d9a2b0e9d5a5e16ba857ef605e6f7f71209c2db2311ec6602105c93bedd339c36808180081d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QN:acallSllG4ZM7QzMm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2432	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
2432	svchcst.exe
2392	svchcst.exe
1036	svchcst.exe
1248	svchcst.exe

Loads dropped DLL 6 IoCs

pid	Process
2832	WScript.exe
2548	WScript.exe
2832	WScript.exe
2548	WScript.exe
1804	WScript.exe
1704	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe
2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2392	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe
2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe
2432	svchcst.exe
2432	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2832	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	28
PID 2764 wrote to memory of 2832	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	28
PID 2764 wrote to memory of 2832	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	28
PID 2764 wrote to memory of 2832	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	28
PID 2764 wrote to memory of 2548	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	29
PID 2764 wrote to memory of 2548	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	29
PID 2764 wrote to memory of 2548	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	29
PID 2764 wrote to memory of 2548	2764	2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe	29
PID 2832 wrote to memory of 2392	2832	WScript.exe	31
PID 2832 wrote to memory of 2392	2832	WScript.exe	31
PID 2832 wrote to memory of 2392	2832	WScript.exe	31
PID 2832 wrote to memory of 2392	2832	WScript.exe	31
PID 2548 wrote to memory of 2432	2548	WScript.exe	32
PID 2548 wrote to memory of 2432	2548	WScript.exe	32
PID 2548 wrote to memory of 2432	2548	WScript.exe	32
PID 2548 wrote to memory of 2432	2548	WScript.exe	32
PID 2392 wrote to memory of 1804	2392	svchcst.exe	33
PID 2392 wrote to memory of 1804	2392	svchcst.exe	33
PID 2392 wrote to memory of 1804	2392	svchcst.exe	33
PID 2392 wrote to memory of 1804	2392	svchcst.exe	33
PID 2392 wrote to memory of 1704	2392	svchcst.exe	34
PID 2392 wrote to memory of 1704	2392	svchcst.exe	34
PID 2392 wrote to memory of 1704	2392	svchcst.exe	34
PID 2392 wrote to memory of 1704	2392	svchcst.exe	34
PID 1804 wrote to memory of 1248	1804	WScript.exe	35
PID 1804 wrote to memory of 1248	1804	WScript.exe	35
PID 1804 wrote to memory of 1248	1804	WScript.exe	35
PID 1804 wrote to memory of 1248	1804	WScript.exe	35
PID 1704 wrote to memory of 1036	1704	WScript.exe	36
PID 1704 wrote to memory of 1036	1704	WScript.exe	36
PID 1704 wrote to memory of 1036	1704	WScript.exe	36
PID 1704 wrote to memory of 1036	1704	WScript.exe	36

C:\Users\Admin\AppData\Local\Temp\2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe
"C:\Users\Admin\AppData\Local\Temp\2be1818609eab8bae8d131c3be1f1719e6f4d190556c007989b0ca34383cd364.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
edfe2b91f0687cb67c49ab3556226f57

SHA1
4e359f729fc0826ff5bcf69750c5b0d0c1674b09

SHA256
d6ed7c52762d963ba7eb4d633a97a4524e9340b2e51c7772ca8940d46c31cc00

SHA512
d0ecd251378d2ec32b70fdacd4d8efc37a2bcd842273597dd9754a9e4d9e6c0d511e073fbe7c36cb24589167abf1ff871e161904b6b3ec187727f9e2dc1e7232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c30296961c6c96163d24b4f91a571b3b

SHA1
3a710323016994634d7fdbbda22a6fc8a9b1bf34

SHA256
9ad226e63ca91c2102c1860013662dd2c0ab061fa481ada404e0eaddbee020ee

SHA512
e6fc81d32cf019a2ab64e0ac47f2ff27283415cabe6a94c1d1ea9f2c08dca2100c774248fdfb2e1b7cc8bc74af081a6c48d68b1187d0d43ab0124a28cad59929

Download Submit
memory/1036-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-36-0x0000000003E40000-0x0000000003F9F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-35-0x0000000003E20000-0x0000000003F7F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-24-0x00000000039C0000-0x0000000003B1F000-memory.dmp

Filesize
1.4MB

Download