8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
Size

1.1MB
MD5

4b038c07f2b8fb8a36a31a0a2435372a
SHA1

55b0d2f86fdfc8425eecc90db3362445aacdb0c1
SHA256

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d
SHA512

5f91349f0d26158143c641c945f742132b1da8ea48a5625ab5969fce55dd5b906cdd893e13fc1052a0c89a9daadb70e2b8868fdb5410fbd91a564af2a97d043c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qx:CcaClSFlG4ZM7QzMS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

3024 svchcst.exe

Executes dropped EXE 25 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
3024	svchcst.exe
1676	svchcst.exe
2768	svchcst.exe
1076	svchcst.exe
580	svchcst.exe
404	svchcst.exe
1324	svchcst.exe
2924	svchcst.exe
1624	svchcst.exe
2044	svchcst.exe
2452	svchcst.exe
2424	svchcst.exe
2844	svchcst.exe
1404	svchcst.exe
572	svchcst.exe
2408	svchcst.exe
1532	svchcst.exe
2984	svchcst.exe
1920	svchcst.exe
1956	svchcst.exe
2664	svchcst.exe
2412	svchcst.exe
1100	svchcst.exe
2284	svchcst.exe
1732	svchcst.exe

Loads dropped DLL 36 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
3016	WScript.exe
3016	WScript.exe
2492	WScript.exe
2720	WScript.exe
2720	WScript.exe
2112	WScript.exe
2112	WScript.exe
792	WScript.exe
2328	WScript.exe
3032	WScript.exe
3032	WScript.exe
3032	WScript.exe
2704	WScript.exe
1080	WScript.exe
1080	WScript.exe
2772	WScript.exe
2772	WScript.exe
2324	WScript.exe
2868	WScript.exe
2868	WScript.exe
2024	WScript.exe
2024	WScript.exe
2320	WScript.exe
2320	WScript.exe
2556	WScript.exe
2556	WScript.exe
2232	WScript.exe
2232	WScript.exe
2432	WScript.exe
2432	WScript.exe
1744	WScript.exe
1744	WScript.exe
2812	WScript.exe
2812	WScript.exe
2404	WScript.exe
2404	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exesvchcst.exesvchcst.exe

pid	process
1920	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe

pid process

1920 8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe

Suspicious use of SetWindowsHookEx 52 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1920	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
1920	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
3024	svchcst.exe
3024	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
1076	svchcst.exe
1076	svchcst.exe
580	svchcst.exe
580	svchcst.exe
404	svchcst.exe
404	svchcst.exe
1324	svchcst.exe
1324	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
1404	svchcst.exe
1404	svchcst.exe
572	svchcst.exe
572	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1100	svchcst.exe
1100	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 1920 wrote to memory of 3016	1920	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 1920 wrote to memory of 3016	1920	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 1920 wrote to memory of 3016	1920	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 1920 wrote to memory of 3016	1920	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 3016 wrote to memory of 3024	3016	WScript.exe	svchcst.exe
PID 3016 wrote to memory of 3024	3016	WScript.exe	svchcst.exe
PID 3016 wrote to memory of 3024	3016	WScript.exe	svchcst.exe
PID 3016 wrote to memory of 3024	3016	WScript.exe	svchcst.exe
PID 3024 wrote to memory of 2492	3024	svchcst.exe	WScript.exe
PID 3024 wrote to memory of 2492	3024	svchcst.exe	WScript.exe
PID 3024 wrote to memory of 2492	3024	svchcst.exe	WScript.exe
PID 3024 wrote to memory of 2492	3024	svchcst.exe	WScript.exe
PID 2492 wrote to memory of 1676	2492	WScript.exe	svchcst.exe
PID 2492 wrote to memory of 1676	2492	WScript.exe	svchcst.exe
PID 2492 wrote to memory of 1676	2492	WScript.exe	svchcst.exe
PID 2492 wrote to memory of 1676	2492	WScript.exe	svchcst.exe
PID 1676 wrote to memory of 2720	1676	svchcst.exe	WScript.exe
PID 1676 wrote to memory of 2720	1676	svchcst.exe	WScript.exe
PID 1676 wrote to memory of 2720	1676	svchcst.exe	WScript.exe
PID 1676 wrote to memory of 2720	1676	svchcst.exe	WScript.exe
PID 2720 wrote to memory of 2768	2720	WScript.exe	svchcst.exe
PID 2720 wrote to memory of 2768	2720	WScript.exe	svchcst.exe
PID 2720 wrote to memory of 2768	2720	WScript.exe	svchcst.exe
PID 2720 wrote to memory of 2768	2720	WScript.exe	svchcst.exe
PID 2768 wrote to memory of 2956	2768	svchcst.exe	WScript.exe
PID 2768 wrote to memory of 2956	2768	svchcst.exe	WScript.exe
PID 2768 wrote to memory of 2956	2768	svchcst.exe	WScript.exe
PID 2768 wrote to memory of 2956	2768	svchcst.exe	WScript.exe
PID 2720 wrote to memory of 1076	2720	WScript.exe	svchcst.exe
PID 2720 wrote to memory of 1076	2720	WScript.exe	svchcst.exe
PID 2720 wrote to memory of 1076	2720	WScript.exe	svchcst.exe
PID 2720 wrote to memory of 1076	2720	WScript.exe	svchcst.exe
PID 1076 wrote to memory of 2112	1076	svchcst.exe	WScript.exe
PID 1076 wrote to memory of 2112	1076	svchcst.exe	WScript.exe
PID 1076 wrote to memory of 2112	1076	svchcst.exe	WScript.exe
PID 1076 wrote to memory of 2112	1076	svchcst.exe	WScript.exe
PID 2112 wrote to memory of 580	2112	WScript.exe	svchcst.exe
PID 2112 wrote to memory of 580	2112	WScript.exe	svchcst.exe
PID 2112 wrote to memory of 580	2112	WScript.exe	svchcst.exe
PID 2112 wrote to memory of 580	2112	WScript.exe	svchcst.exe
PID 580 wrote to memory of 1976	580	svchcst.exe	WScript.exe
PID 580 wrote to memory of 1976	580	svchcst.exe	WScript.exe
PID 580 wrote to memory of 1976	580	svchcst.exe	WScript.exe
PID 580 wrote to memory of 1976	580	svchcst.exe	WScript.exe
PID 2112 wrote to memory of 404	2112	WScript.exe	svchcst.exe
PID 2112 wrote to memory of 404	2112	WScript.exe	svchcst.exe
PID 2112 wrote to memory of 404	2112	WScript.exe	svchcst.exe
PID 2112 wrote to memory of 404	2112	WScript.exe	svchcst.exe
PID 404 wrote to memory of 792	404	svchcst.exe	WScript.exe
PID 404 wrote to memory of 792	404	svchcst.exe	WScript.exe
PID 404 wrote to memory of 792	404	svchcst.exe	WScript.exe
PID 404 wrote to memory of 792	404	svchcst.exe	WScript.exe
PID 792 wrote to memory of 1324	792	WScript.exe	svchcst.exe
PID 792 wrote to memory of 1324	792	WScript.exe	svchcst.exe
PID 792 wrote to memory of 1324	792	WScript.exe	svchcst.exe
PID 792 wrote to memory of 1324	792	WScript.exe	svchcst.exe
PID 1324 wrote to memory of 2328	1324	svchcst.exe	WScript.exe
PID 1324 wrote to memory of 2328	1324	svchcst.exe	WScript.exe
PID 1324 wrote to memory of 2328	1324	svchcst.exe	WScript.exe
PID 1324 wrote to memory of 2328	1324	svchcst.exe	WScript.exe
PID 2328 wrote to memory of 2924	2328	WScript.exe	svchcst.exe
PID 2328 wrote to memory of 2924	2328	WScript.exe	svchcst.exe
PID 2328 wrote to memory of 2924	2328	WScript.exe	svchcst.exe
PID 2328 wrote to memory of 2924	2328	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
"C:\Users\Admin\AppData\Local\Temp\8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
PID:2956

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
PID:1976

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
PID:3032

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2704

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:1080

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2772

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
PID:2228

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2324

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2868

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:2024

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:2320

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:2556

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2232

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2432

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:1744

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2812

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2404

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
PID:584

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
8c8771136cbb2b84664b6b5ade6507ef

SHA1
749b323bb28d89aea162eb83218fa90011e30271

SHA256
c2b66e9ff9f035a88a59b4bb01a933f535a8446050922f5bd685ce7e56639f02

SHA512
7a3af7a70bee1eb361e767db580c877b58aebda18ba7911eef6b26463c5a64cb7c1b14b43c34140a40cc26fb07546f3b171eab9af6a26f4591e3727fa7b6f3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
3a5ef0ae18f82de007b78d2b41c12b67

SHA1
e92d1f54eeac7528bf5f26fbcf435f7d95991d30

SHA256
7159e7ed4317e20371bce82917d1a629cd284f7a2580683bde85affa6ad5bf5e

SHA512
487e4634da8de5d9452e8e7cbd88b000003a07d3f162b29dce7e25df6c6897fce67c2562d097147ced2eed32942c9bfaadc07b8606f5114de04998c95ed43710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
f237d40e44d28d16b38b132204962310

SHA1
faa067441a6fae03a69f43600f944f5cd5004705

SHA256
744e4d591e2b0dbd01f2a8e192e7284624adb5cb24faf1ec3bd4b9d669200dce

SHA512
3da10ee20cc1f9c78473fbf099c3bc60b084931860a10d06bd27131c34300cfde273d7cad024c4861359ec310dbc89725f3cf909d78da42e8d6f2da04ee63a09

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1920-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads