1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b

General

Target

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
Size

1.1MB
MD5

1a2ea174eed876ae66a1d841383ee4d9
SHA1

51efabbc0f6430c599781eab4a8b4fedb4464960
SHA256

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b
SHA512

611c2e6bfc9a9cb9fef182dbbed73f71a122f1493860f639aafcdc9737c19278a0dbe068f1417d94205cb24130c5a45bc057eb9dc90fc4f00159e819cd5946d6
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzM7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exesvchcst.exeWScript.exeWScript.exe1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1036 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

1036 svchcst.exe
3176 svchcst.exe
3344 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1036	svchcst.exe

pid	process
1036	svchcst.exe
3176	svchcst.exe
3344	svchcst.exe

Modifies registry class 5 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exesvchcst.exe

pid	process
2736	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
2736	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe

pid process

2736 1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2736	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
2736	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
1036	svchcst.exe
1036	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3344	svchcst.exe
3344	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2736 wrote to memory of 4720	2736	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe	WScript.exe
PID 2736 wrote to memory of 4720	2736	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe	WScript.exe
PID 2736 wrote to memory of 4720	2736	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe	WScript.exe
PID 4720 wrote to memory of 1036	4720	WScript.exe	svchcst.exe
PID 4720 wrote to memory of 1036	4720	WScript.exe	svchcst.exe
PID 4720 wrote to memory of 1036	4720	WScript.exe	svchcst.exe
PID 1036 wrote to memory of 3116	1036	svchcst.exe	WScript.exe
PID 1036 wrote to memory of 3116	1036	svchcst.exe	WScript.exe
PID 1036 wrote to memory of 3116	1036	svchcst.exe	WScript.exe
PID 1036 wrote to memory of 2000	1036	svchcst.exe	WScript.exe
PID 1036 wrote to memory of 2000	1036	svchcst.exe	WScript.exe
PID 1036 wrote to memory of 2000	1036	svchcst.exe	WScript.exe
PID 3116 wrote to memory of 3176	3116	WScript.exe	svchcst.exe
PID 3116 wrote to memory of 3176	3116	WScript.exe	svchcst.exe
PID 3116 wrote to memory of 3176	3116	WScript.exe	svchcst.exe
PID 2000 wrote to memory of 3344	2000	WScript.exe	svchcst.exe
PID 2000 wrote to memory of 3344	2000	WScript.exe	svchcst.exe
PID 2000 wrote to memory of 3344	2000	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
"C:\Users\Admin\AppData\Local\Temp\1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
952c5b1080c1b0a5b760ac039b4d103e

SHA1
690043ee33c8377f612cdc68978d03dc426da6c8

SHA256
b1472a65fc336d8bdc6bc209a64461860ae2af81dd040dbf2ac74cc7abfc55d2

SHA512
bbdc49c5f15d47be3eaeaefaffd5c0359466f68a47a4193942e2e40d18e565a682f16e0bdebbe49166b509e0797d2916b7fa0ac73dc47e568ead579cf8566126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
06e428f802e99943840ec4252a1dbc65

SHA1
de19170e679e76221331c6d04b3a8448bbb5acd2

SHA256
87fd1d5f4b27ef3ab9e57186a9386c42b5f1c784e391ae0f39b408a8395fa5ce

SHA512
dbaa4b01da3368ddff92b96256fe5b48cb9efc9faadf311ae7ac05df945e88d9f4633e5d41daae18f227dc4e99d1c1795b97abfd136886ddceee78d1afb9b92d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c498e675c8598697d84ab1663969b268

SHA1
49ca4b6b56403d683343cb0e5cf5f02a397d8155

SHA256
e4a6b9742b7a46223cdde67d0767120ab3a4b816666e205b00213ccf4460710c

SHA512
fa4c5ba1a3860c63d49935bf2c796d2be9d5ef618d5526ecbd98a07ae6e871fffe75210ff41f6e24ce1d79cef769436e219169be7ca73ee3027f3e2ec0b6d088

Download Submit
memory/2736-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads