8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 22:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
Size

1.1MB
MD5

17d2e6f02dca29fe9c243dd6bd1e2e8e
SHA1

694ecc60c710a54636f0473ada036c887ff650e7
SHA256

8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0
SHA512

feb7664666be1f736156336c61ce7f18ce77583af586a2ad097eb7a5c4cbe047540ba909d9410bca7dce1165b5803349153df2295451570922c8672fcc672b1f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QG:acallSllG4ZM7QzMd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3372	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
3372	svchcst.exe
2324	svchcst.exe
4536	svchcst.exe
4420	svchcst.exe
1120	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe
3372	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
3372	svchcst.exe
3372	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
4420	svchcst.exe
4420	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1052	4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe	81
PID 4852 wrote to memory of 1052	4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe	81
PID 4852 wrote to memory of 1052	4852	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe	81
PID 1052 wrote to memory of 3372	1052	WScript.exe	87
PID 1052 wrote to memory of 3372	1052	WScript.exe	87
PID 1052 wrote to memory of 3372	1052	WScript.exe	87
PID 3372 wrote to memory of 4456	3372	svchcst.exe	88
PID 3372 wrote to memory of 4456	3372	svchcst.exe	88
PID 3372 wrote to memory of 4456	3372	svchcst.exe	88
PID 3372 wrote to memory of 1908	3372	svchcst.exe	89
PID 3372 wrote to memory of 1908	3372	svchcst.exe	89
PID 3372 wrote to memory of 1908	3372	svchcst.exe	89
PID 4456 wrote to memory of 2324	4456	WScript.exe	92
PID 4456 wrote to memory of 2324	4456	WScript.exe	92
PID 4456 wrote to memory of 2324	4456	WScript.exe	92
PID 1908 wrote to memory of 4536	1908	WScript.exe	93
PID 1908 wrote to memory of 4536	1908	WScript.exe	93
PID 1908 wrote to memory of 4536	1908	WScript.exe	93
PID 2324 wrote to memory of 2908	2324	svchcst.exe	94
PID 2324 wrote to memory of 2908	2324	svchcst.exe	94
PID 2324 wrote to memory of 2908	2324	svchcst.exe	94
PID 2324 wrote to memory of 636	2324	svchcst.exe	95
PID 2324 wrote to memory of 636	2324	svchcst.exe	95
PID 2324 wrote to memory of 636	2324	svchcst.exe	95
PID 2908 wrote to memory of 4420	2908	WScript.exe	96
PID 2908 wrote to memory of 4420	2908	WScript.exe	96
PID 2908 wrote to memory of 4420	2908	WScript.exe	96
PID 636 wrote to memory of 1120	636	WScript.exe	97
PID 636 wrote to memory of 1120	636	WScript.exe	97
PID 636 wrote to memory of 1120	636	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
"C:\Users\Admin\AppData\Local\Temp\8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4420
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1120
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
868716876f6ec329cdda99a3f65cdcdc

SHA1
c71a832f422e97db9fdcfc6ec164d4c443590b64

SHA256
d5f20b1599b7c496383c9ca5e0661e193c5f1fc8c7b97c11a00a212acd5bd3f3

SHA512
a00d40db5f11de5d535efce7482daa732ca6cfc82397f0ef7ad3c7ad64021ae047e4f88dbf2d624e428fd1274a344798587ca0541f78ccf18f7054ef0b7afd90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
88601fa6b38fb757262325d9bf4ce40d

SHA1
fc2fc75b89f4c3b373990e1e6e59119147e2a72d

SHA256
39efdea1c23001ae30252a167f6d84f4a6fcfcbad2febb63c0fc824fa3d05508

SHA512
cab2aba3a881510052ab87232b34cd2e8393e633018e756aa61bb1a5852efcf43db27ce9155c32239089143df1e790e594d161e908429ed12a5fbe178799fedd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4edbf7c2b7faa44e7586977dfb393be9

SHA1
7b25192ce41e193970c48b82067958f073ce8976

SHA256
9202b8fbb31a23899538077a6ff591156c22b5e57a03d0eeab7f6cb4962cca0f

SHA512
cadaa3357623e9fc347a2c7d40b0cbb9ea1385a42a533183a80f5fd931ee185f9437ae38426eea315f47c8a05cd56b8882ea0fd3627d36d0329d5858ba0eb78f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6213c74dc27948a4e55621b8134faeba

SHA1
574501ac7426e6152f385fe561988bed9a8a964b

SHA256
d82b2f1615e5f795dfde1a2a85f761a5b9e6efa93e3a952f45ae5c0567589654

SHA512
437b8db84e1cfe051a53f2fb637952af5a7a9cc762f62e50e79186055829720a44fbf8b1dd58d89ad771122fae3b7727fbc4984f07ebce16ff87dfbb73f82a13

Download Submit
memory/1120-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1120-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3372-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3372-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4420-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4536-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4536-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4852-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4852-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download