971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe
Size

1.1MB
MD5

0f43ff66f607dfa1a624abe9d9caf525
SHA1

9cd5da59d585e1f4f3b3bb3ae97838479f56eb3f
SHA256

971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e
SHA512

d2b95bf16da4b1f1f772014a0f218eabb3b444e82473e6e610c56c24664166f2a3b743f718dae1fa0e0b6199e204b16c5204b358188b9a51c753a388660396bf
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:CcaClSFlG4ZM7QzMm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2624 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2624	svchcst.exe
2712	svchcst.exe
1628	svchcst.exe
2084	svchcst.exe
488	svchcst.exe
1128	svchcst.exe
3016	svchcst.exe
2544	svchcst.exe
2072	svchcst.exe
2516	svchcst.exe
2384	svchcst.exe
2500	svchcst.exe
2084	svchcst.exe
2828	svchcst.exe
1856	svchcst.exe
1736	svchcst.exe
544	svchcst.exe
2088	svchcst.exe
1500	svchcst.exe
2236	svchcst.exe
1692	svchcst.exe
2500	svchcst.exe
2248	svchcst.exe

Loads dropped DLL 33 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
3048	WScript.exe
3048	WScript.exe
2384	WScript.exe
1824	WScript.exe
804	WScript.exe
2636	WScript.exe
2636	WScript.exe
1552	WScript.exe
1552	WScript.exe
2552	WScript.exe
2552	WScript.exe
308	WScript.exe
2464	WScript.exe
2104	WScript.exe
696	WScript.exe
696	WScript.exe
696	WScript.exe
876	WScript.exe
876	WScript.exe
1616	WScript.exe
1616	WScript.exe
2608	WScript.exe
2608	WScript.exe
1204	WScript.exe
1204	WScript.exe
2888	WScript.exe
2888	WScript.exe
2456	WScript.exe
2456	WScript.exe
320	WScript.exe
320	WScript.exe
836	WScript.exe
836	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exesvchcst.exesvchcst.exe

pid	process
2876	971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe

pid process

2876 971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2876	971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe
2876	971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe
2624	svchcst.exe
2624	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
488	svchcst.exe
488	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
2828	svchcst.exe
2828	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
1736	svchcst.exe
1736	svchcst.exe
544	svchcst.exe
544	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exe

description	pid	process	target process
PID 2876 wrote to memory of 3048	2876	971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe	WScript.exe
PID 2876 wrote to memory of 3048	2876	971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe	WScript.exe
PID 2876 wrote to memory of 3048	2876	971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe	WScript.exe
PID 2876 wrote to memory of 3048	2876	971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe	WScript.exe
PID 3048 wrote to memory of 2624	3048	WScript.exe	svchcst.exe
PID 3048 wrote to memory of 2624	3048	WScript.exe	svchcst.exe
PID 3048 wrote to memory of 2624	3048	WScript.exe	svchcst.exe
PID 3048 wrote to memory of 2624	3048	WScript.exe	svchcst.exe
PID 2624 wrote to memory of 2384	2624	svchcst.exe	WScript.exe
PID 2624 wrote to memory of 2384	2624	svchcst.exe	WScript.exe
PID 2624 wrote to memory of 2384	2624	svchcst.exe	WScript.exe
PID 2624 wrote to memory of 2384	2624	svchcst.exe	WScript.exe
PID 2384 wrote to memory of 2712	2384	WScript.exe	svchcst.exe
PID 2384 wrote to memory of 2712	2384	WScript.exe	svchcst.exe
PID 2384 wrote to memory of 2712	2384	WScript.exe	svchcst.exe
PID 2384 wrote to memory of 2712	2384	WScript.exe	svchcst.exe
PID 2712 wrote to memory of 1824	2712	svchcst.exe	WScript.exe
PID 2712 wrote to memory of 1824	2712	svchcst.exe	WScript.exe
PID 2712 wrote to memory of 1824	2712	svchcst.exe	WScript.exe
PID 2712 wrote to memory of 1824	2712	svchcst.exe	WScript.exe
PID 1824 wrote to memory of 1628	1824	WScript.exe	svchcst.exe
PID 1824 wrote to memory of 1628	1824	WScript.exe	svchcst.exe
PID 1824 wrote to memory of 1628	1824	WScript.exe	svchcst.exe
PID 1824 wrote to memory of 1628	1824	WScript.exe	svchcst.exe
PID 1628 wrote to memory of 804	1628	svchcst.exe	WScript.exe
PID 1628 wrote to memory of 804	1628	svchcst.exe	WScript.exe
PID 1628 wrote to memory of 804	1628	svchcst.exe	WScript.exe
PID 1628 wrote to memory of 804	1628	svchcst.exe	WScript.exe
PID 804 wrote to memory of 2084	804	WScript.exe	svchcst.exe
PID 804 wrote to memory of 2084	804	WScript.exe	svchcst.exe
PID 804 wrote to memory of 2084	804	WScript.exe	svchcst.exe
PID 804 wrote to memory of 2084	804	WScript.exe	svchcst.exe
PID 2084 wrote to memory of 2636	2084	svchcst.exe	WScript.exe
PID 2084 wrote to memory of 2636	2084	svchcst.exe	WScript.exe
PID 2084 wrote to memory of 2636	2084	svchcst.exe	WScript.exe
PID 2084 wrote to memory of 2636	2084	svchcst.exe	WScript.exe
PID 2636 wrote to memory of 488	2636	WScript.exe	svchcst.exe
PID 2636 wrote to memory of 488	2636	WScript.exe	svchcst.exe
PID 2636 wrote to memory of 488	2636	WScript.exe	svchcst.exe
PID 2636 wrote to memory of 488	2636	WScript.exe	svchcst.exe
PID 488 wrote to memory of 3068	488	svchcst.exe	WScript.exe
PID 488 wrote to memory of 3068	488	svchcst.exe	WScript.exe
PID 488 wrote to memory of 3068	488	svchcst.exe	WScript.exe
PID 488 wrote to memory of 3068	488	svchcst.exe	WScript.exe
PID 2636 wrote to memory of 1128	2636	WScript.exe	svchcst.exe
PID 2636 wrote to memory of 1128	2636	WScript.exe	svchcst.exe
PID 2636 wrote to memory of 1128	2636	WScript.exe	svchcst.exe
PID 2636 wrote to memory of 1128	2636	WScript.exe	svchcst.exe
PID 1128 wrote to memory of 1552	1128	svchcst.exe	WScript.exe
PID 1128 wrote to memory of 1552	1128	svchcst.exe	WScript.exe
PID 1128 wrote to memory of 1552	1128	svchcst.exe	WScript.exe
PID 1128 wrote to memory of 1552	1128	svchcst.exe	WScript.exe
PID 1552 wrote to memory of 3016	1552	WScript.exe	svchcst.exe
PID 1552 wrote to memory of 3016	1552	WScript.exe	svchcst.exe
PID 1552 wrote to memory of 3016	1552	WScript.exe	svchcst.exe
PID 1552 wrote to memory of 3016	1552	WScript.exe	svchcst.exe
PID 3016 wrote to memory of 1252	3016	svchcst.exe	WScript.exe
PID 3016 wrote to memory of 1252	3016	svchcst.exe	WScript.exe
PID 3016 wrote to memory of 1252	3016	svchcst.exe	WScript.exe
PID 3016 wrote to memory of 1252	3016	svchcst.exe	WScript.exe
PID 1552 wrote to memory of 2544	1552	WScript.exe	svchcst.exe
PID 1552 wrote to memory of 2544	1552	WScript.exe	svchcst.exe
PID 1552 wrote to memory of 2544	1552	WScript.exe	svchcst.exe
PID 1552 wrote to memory of 2544	1552	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe
"C:\Users\Admin\AppData\Local\Temp\971b2771cd73dae05f56e5a6d5053a8cbe1fc60b0cab90da3d80376a90fbba8e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
PID:3068

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
PID:1252

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
PID:2552

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2464

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2104

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:696

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
PID:1332

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:876

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:2608

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1204

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2888

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2456

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:320

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:836

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
PID:2432

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:308

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
PID:1588

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
95120f63e782f2331289020fe1fdbf45

SHA1
a2baa3abe9d3e7bd5835cea0fd3ddd0a87463503

SHA256
01c77fbcc52663ace180650cdeccf348d23514fa76260ff2a0fabe9870bd22dd

SHA512
e838501dbedf210362e248e7015a895c8d230f0a03f44f2904d76013b0ac7c7388625eb9ba0b9e0da71a451ebd1a733f559bd5d8855d801f6627f05596e41b81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
bb7babaea963d38a367ee1b62fa33935

SHA1
b6637ac0cfa940c36187b33a5122e3a4d2b28ae7

SHA256
881dc4515a5076f7736ce625916997a8f72a7f8642d1eb3c68d23090aa65ffe3

SHA512
df08b22800f7e5db23306632817abe6bcf846ea3059157807dfc9f7bad67a559b29533bf21ada2e1dfd2c79440a004f3a757d5dec321c33a09c935a8e86b1081

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2876-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads