24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe
Size

1.1MB
MD5

efa000140e6f98c42b106ed939ec9a92
SHA1

4e7a9da2f71f5593454802d12b76ac0b8a57dd93
SHA256

24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983
SHA512

c059fba568dc298b6e7181d008b16a84e327207f174e3cc73d8b5442c2f72a837acab95978849403aee138945e3cfe9ae706f9b38c20cb72834bf2c027e04b88
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qx:CcaClSFlG4ZM7QzMS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2692 svchcst.exe

Executes dropped EXE 24 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2692	svchcst.exe
2868	svchcst.exe
1216	svchcst.exe
3040	svchcst.exe
1768	svchcst.exe
1660	svchcst.exe
1592	svchcst.exe
2880	svchcst.exe
2508	svchcst.exe
2884	svchcst.exe
380	svchcst.exe
568	svchcst.exe
2196	svchcst.exe
1728	svchcst.exe
2344	svchcst.exe
1668	svchcst.exe
1592	svchcst.exe
2180	svchcst.exe
2580	svchcst.exe
2628	svchcst.exe
672	svchcst.exe
1008	svchcst.exe
1292	svchcst.exe
448	svchcst.exe

Loads dropped DLL 44 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2608	WScript.exe
2608	WScript.exe
2996	WScript.exe
2996	WScript.exe
1208	WScript.exe
1208	WScript.exe
624	WScript.exe
624	WScript.exe
3020	WScript.exe
3020	WScript.exe
1616	WScript.exe
1616	WScript.exe
3060	WScript.exe
3060	WScript.exe
2176	WScript.exe
2176	WScript.exe
3064	WScript.exe
2692	WScript.exe
2692	WScript.exe
2692	WScript.exe
2980	WScript.exe
2036	WScript.exe
1964	WScript.exe
1964	WScript.exe
2220	WScript.exe
2220	WScript.exe
1556	WScript.exe
1556	WScript.exe
1624	WScript.exe
1624	WScript.exe
2424	WScript.exe
2424	WScript.exe
2428	WScript.exe
2428	WScript.exe
2876	WScript.exe
2876	WScript.exe
2676	WScript.exe
2676	WScript.exe
772	WScript.exe
772	WScript.exe
1200	WScript.exe
1200	WScript.exe
1776	WScript.exe
1776	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exesvchcst.exesvchcst.exe

pid	process
2368	24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe

pid process

2368 24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2368	24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe
2368	24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe
2692	svchcst.exe
2692	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
380	svchcst.exe
380	svchcst.exe
568	svchcst.exe
568	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
672	svchcst.exe
672	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1292	svchcst.exe
1292	svchcst.exe
448	svchcst.exe
448	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 2368 wrote to memory of 2608	2368	24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe	WScript.exe
PID 2368 wrote to memory of 2608	2368	24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe	WScript.exe
PID 2368 wrote to memory of 2608	2368	24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe	WScript.exe
PID 2368 wrote to memory of 2608	2368	24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe	WScript.exe
PID 2608 wrote to memory of 2692	2608	WScript.exe	svchcst.exe
PID 2608 wrote to memory of 2692	2608	WScript.exe	svchcst.exe
PID 2608 wrote to memory of 2692	2608	WScript.exe	svchcst.exe
PID 2608 wrote to memory of 2692	2608	WScript.exe	svchcst.exe
PID 2692 wrote to memory of 2996	2692	svchcst.exe	WScript.exe
PID 2692 wrote to memory of 2996	2692	svchcst.exe	WScript.exe
PID 2692 wrote to memory of 2996	2692	svchcst.exe	WScript.exe
PID 2692 wrote to memory of 2996	2692	svchcst.exe	WScript.exe
PID 2996 wrote to memory of 2868	2996	WScript.exe	svchcst.exe
PID 2996 wrote to memory of 2868	2996	WScript.exe	svchcst.exe
PID 2996 wrote to memory of 2868	2996	WScript.exe	svchcst.exe
PID 2996 wrote to memory of 2868	2996	WScript.exe	svchcst.exe
PID 2868 wrote to memory of 1208	2868	svchcst.exe	WScript.exe
PID 2868 wrote to memory of 1208	2868	svchcst.exe	WScript.exe
PID 2868 wrote to memory of 1208	2868	svchcst.exe	WScript.exe
PID 2868 wrote to memory of 1208	2868	svchcst.exe	WScript.exe
PID 1208 wrote to memory of 1216	1208	WScript.exe	svchcst.exe
PID 1208 wrote to memory of 1216	1208	WScript.exe	svchcst.exe
PID 1208 wrote to memory of 1216	1208	WScript.exe	svchcst.exe
PID 1208 wrote to memory of 1216	1208	WScript.exe	svchcst.exe
PID 1216 wrote to memory of 624	1216	svchcst.exe	WScript.exe
PID 1216 wrote to memory of 624	1216	svchcst.exe	WScript.exe
PID 1216 wrote to memory of 624	1216	svchcst.exe	WScript.exe
PID 1216 wrote to memory of 624	1216	svchcst.exe	WScript.exe
PID 624 wrote to memory of 3040	624	WScript.exe	svchcst.exe
PID 624 wrote to memory of 3040	624	WScript.exe	svchcst.exe
PID 624 wrote to memory of 3040	624	WScript.exe	svchcst.exe
PID 624 wrote to memory of 3040	624	WScript.exe	svchcst.exe
PID 3040 wrote to memory of 3020	3040	svchcst.exe	WScript.exe
PID 3040 wrote to memory of 3020	3040	svchcst.exe	WScript.exe
PID 3040 wrote to memory of 3020	3040	svchcst.exe	WScript.exe
PID 3040 wrote to memory of 3020	3040	svchcst.exe	WScript.exe
PID 3020 wrote to memory of 1768	3020	WScript.exe	svchcst.exe
PID 3020 wrote to memory of 1768	3020	WScript.exe	svchcst.exe
PID 3020 wrote to memory of 1768	3020	WScript.exe	svchcst.exe
PID 3020 wrote to memory of 1768	3020	WScript.exe	svchcst.exe
PID 1768 wrote to memory of 1616	1768	svchcst.exe	WScript.exe
PID 1768 wrote to memory of 1616	1768	svchcst.exe	WScript.exe
PID 1768 wrote to memory of 1616	1768	svchcst.exe	WScript.exe
PID 1768 wrote to memory of 1616	1768	svchcst.exe	WScript.exe
PID 1616 wrote to memory of 1660	1616	WScript.exe	svchcst.exe
PID 1616 wrote to memory of 1660	1616	WScript.exe	svchcst.exe
PID 1616 wrote to memory of 1660	1616	WScript.exe	svchcst.exe
PID 1616 wrote to memory of 1660	1616	WScript.exe	svchcst.exe
PID 1660 wrote to memory of 3060	1660	svchcst.exe	WScript.exe
PID 1660 wrote to memory of 3060	1660	svchcst.exe	WScript.exe
PID 1660 wrote to memory of 3060	1660	svchcst.exe	WScript.exe
PID 1660 wrote to memory of 3060	1660	svchcst.exe	WScript.exe
PID 3060 wrote to memory of 1592	3060	WScript.exe	svchcst.exe
PID 3060 wrote to memory of 1592	3060	WScript.exe	svchcst.exe
PID 3060 wrote to memory of 1592	3060	WScript.exe	svchcst.exe
PID 3060 wrote to memory of 1592	3060	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 2176	1592	svchcst.exe	WScript.exe
PID 1592 wrote to memory of 2176	1592	svchcst.exe	WScript.exe
PID 1592 wrote to memory of 2176	1592	svchcst.exe	WScript.exe
PID 1592 wrote to memory of 2176	1592	svchcst.exe	WScript.exe
PID 2176 wrote to memory of 2880	2176	WScript.exe	svchcst.exe
PID 2176 wrote to memory of 2880	2176	WScript.exe	svchcst.exe
PID 2176 wrote to memory of 2880	2176	WScript.exe	svchcst.exe
PID 2176 wrote to memory of 2880	2176	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe
"C:\Users\Admin\AppData\Local\Temp\24d6d17da2b3a5b1747269ba4e2a6bc7510d75641b3382b35b48fb37883da983.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:3064

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2692

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2980

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:568

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1964

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:2220

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1556

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:1624

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2424

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:2428

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2876

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2676

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:772

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:1200

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:1776

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
PID:2000

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
16b9011648a577741b7fb4a55f1eeaac

SHA1
b0d86d1cf62b882bf28f0897ddb610e41cc6814c

SHA256
7bf3fbb9962c054e651caf4e49fa468d5892cb0bf88f4bbf3fd85b372a7d173c

SHA512
1d8631904aa2df5a90aef858d4369ed53d0075f97b42361a8e05c9a64f8e6a786897b625b1230d20415f3923db8aa5d8f5f619b7b9084202fecf4e7cead4366d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
af50d53f1870c9104937bc1769f82771

SHA1
0154472fe27f7938f3aff472624d9925770c855d

SHA256
e158b915336e15ab53f4bad2a8de839180ba5b1d4432a21a5d608f4333d02fc1

SHA512
f446ab0a581e11db5e66fbb4619d77d0e70ddd1140ac7694c43938d665b6b7b363c5788e20b32ed81b1774441f918b2cf91d9af52e5f25373000ea2e6c7a4cdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
f55dd12388005110c55669e003c1417a

SHA1
55d87a0f0aa326a63702fbfca3330aa3524674fb

SHA256
3df22b61c82c405f91ee17bf1ed28a9c437f3654f0e701f3a587b9e7f6d5c584

SHA512
33fb20744ae47962c2ff59c003d2f8c7e7b9af21ea174e8b416397ed4ea8c4fad2921be5e45c7aea9bc3e28556688ac8adcaea7eecd3d62db5448d2b7ff329f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
72667e7bb91b0ea01490d0903b8932e7

SHA1
6bea6e71652ac6f52b138a1195c7e45fc62adb63

SHA256
c850be21c7dff3479cabb6680026fb6277ad4402bacbc0ecb6e0b20b8269d0c4

SHA512
fa53cc7c317b4cd22b72f997d226aae07c06a7eb6a6fd8162a365304af6d9aa96f9ca65741dacd8ddaf2e53ba2948f1a817a0face43565678b01598c3d768272

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
501cae6abeb320dd5d7e1008862aaf10

SHA1
d68d8e1edc20b4a43dc89a41d1af0fa4028cdf55

SHA256
7d93ef586b4c04fbd9d52d9fa2133fde36f51224a2b221f9865572686844fd13

SHA512
4a7110fb2c0d2877a0e335c3c26d1926ff18704d86b7df56f21c086e33dcf8eb897f5481926c02373d2a5b4e046e1ced99901398fd08af144c79c7e836d7c964

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
dcb701ac33289da7775c9d8225a18bf8

SHA1
f85a7ab29e1698b911df2b6b74f7927405085072

SHA256
47ed631b88801cc96535b58fefcbfe9f4d9b8fb77e7acf1d974c94af2e30482f

SHA512
b9e57f96635e4025a4c2ffa7489fc8766d1084b732cfae32e576ddc31b55bfa625dc3dfbd2cc69a7250b1d148ef51bf299702124dbf0415e4237b7e859d71119

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
0f61b27f7741ea757a5f372313683e9c

SHA1
1e6e3e924d979c1266258a8b028985a4ec8850ed

SHA256
0f09859895b35e9818c27fcf3f97cdacc8d002139a7df54ecdb2a80ac1025025

SHA512
490777f9795cfe5e83951eac109f202000890a08688a898873d8a67bae1c306c30f1c31053e9ba230857861628ec6a31d206234bbcc75eb4e8675e593f105dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
702fe690a41f71c756868c1a4471e191

SHA1
b71c1e555a9d28736e92c2e9bbe2624c33a5ce92

SHA256
993580768a881c34a6d25c478cec40e36772b4ad39a57dfb4dc2c2c8cebe9647

SHA512
4013864ed2352dd1435b511a2e34068f7628f60fb06eb73f5a40ba31def489fad482a50ad90701f77b5ba8a8b6c8047981f666aad9f72b3e479547898bc17a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
4110282f9acf0ed33bcf209dca6a2f44

SHA1
00a1ca0334184706f1a887ee6c13fa90e78c50e1

SHA256
f07430c592d9b84815d05d3468d3ab7c5f430dea89a8a3068572693a1bbebf8a

SHA512
04b722d3d46fc05bcf8a97ecc12a7f09720fba283a2f604fa7753cefde3f74612c5495ef89ca34b53d6a1e956420388cac9783f955e5f02855e53bfa320cd7d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
bbf27443984dc59e0608c3d8cf1a5516

SHA1
061017be125d1c1459b96ee65e4687b2d50b609e

SHA256
bc96427afcc0fe457c661e9250053cf03422bc80e952abb19a3a5731305e4e40

SHA512
c014f5689fae622d357fdd0d2f23d27f6fe09c5c9243cda55eea7ebb7100c6adafd0179d0192e3928c64973a0d45b87af5ad0690639511b73df27239ff95d281

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
1d8a24912df5ca315fe3762c18f2792a

SHA1
f80eaa2a6e03cc261a6143dcba1cdce4a7442154

SHA256
2a70a4e72cac9121358050758b8ab8864805b66b30bd96a7d81fa47f360b1e16

SHA512
859105f924516fa034d021af806463ae646390a1e6f96b2f3af65c4610fabd0cbff53ee95da19cc76e4b46ea6190b14a1cd3939374b0ce6586b4506fe42717cc

Download Submit
memory/2368-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads