eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
Size

1.1MB
MD5

2a23f69b03bdb8e9f3648af23d6c6e25
SHA1

e99065918021af0b3b4db3f897832c1a1656393a
SHA256

eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209
SHA512

6cfc6ecd6d8266cece09096491d89805097512b7bcc2be0746c520c6255591ecdefe3815e29252d0622566adb63e262be078f1582b8e6a7272882c912ffa065f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qm:acallSllG4ZM7QzMt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
924	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
924	svchcst.exe
4572	svchcst.exe
3668	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe
924	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
924	svchcst.exe
924	svchcst.exe
4572	svchcst.exe
4572	svchcst.exe
3668	svchcst.exe
3668	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3776	3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe	84
PID 3348 wrote to memory of 3776	3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe	84
PID 3348 wrote to memory of 3776	3348	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe	84
PID 3776 wrote to memory of 924	3776	WScript.exe	95
PID 3776 wrote to memory of 924	3776	WScript.exe	95
PID 3776 wrote to memory of 924	3776	WScript.exe	95
PID 924 wrote to memory of 1008	924	svchcst.exe	96
PID 924 wrote to memory of 1008	924	svchcst.exe	96
PID 924 wrote to memory of 1008	924	svchcst.exe	96
PID 924 wrote to memory of 3512	924	svchcst.exe	97
PID 924 wrote to memory of 3512	924	svchcst.exe	97
PID 924 wrote to memory of 3512	924	svchcst.exe	97
PID 1008 wrote to memory of 4572	1008	WScript.exe	100
PID 1008 wrote to memory of 4572	1008	WScript.exe	100
PID 1008 wrote to memory of 4572	1008	WScript.exe	100
PID 3512 wrote to memory of 3668	3512	WScript.exe	101
PID 3512 wrote to memory of 3668	3512	WScript.exe	101
PID 3512 wrote to memory of 3668	3512	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
"C:\Users\Admin\AppData\Local\Temp\eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4572
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
162d2f27fd35400c991f9d17ae48d4b2

SHA1
b49abf6784779deb5d41804c45ae43521716d59c

SHA256
185fe26f4b767a2178b794bbcc8cfbec6cc371073c66fb37c02036a34387d4e1

SHA512
5dcc93f1b0b53efd0b7573cce185acb1dd17c6de326735436baebef09551a848230ea04613edd7aba0e6fe7b12d6bfe85959d9ed503211b0e69bf9662e9fa7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8078fe71a0e394d35311697877b3aed

SHA1
b207d56b6ea8df8a29485fc4dfcbf487c57e0c91

SHA256
ecf1fea970c12d3483f97990e4f3bad075bc72e95a0d29347ca60c9813b8fbe0

SHA512
fc3eab7fc5f993acc91b96844da0eaafb11207972fe503060cfa264aa3d45a3766f0d85ebf11a800df066ca2950cba641965086ef350e6c3449f4e6837132ed3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5258c8673ad433ef1f0e8f4ba0f941f1

SHA1
926430dffcd1b90de633899a4a079c57f41403db

SHA256
56369143afec2d72d2a809c0974058486bd1dc6866754c860ec796f7c46298fa

SHA512
8e7fc3df8505f798f1a41a3bdd4030452ac5d3f1ab092600f28da07e406ad34598dc2f3448cd58e4c2ca303e672dd430c31ec090b913ba1b884fe7964eda8e82

Download Submit
memory/924-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3348-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3348-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3668-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3668-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4572-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4572-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download