8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d

General

Target

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
Size

1.1MB
MD5

4b038c07f2b8fb8a36a31a0a2435372a
SHA1

55b0d2f86fdfc8425eecc90db3362445aacdb0c1
SHA256

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d
SHA512

5f91349f0d26158143c641c945f742132b1da8ea48a5625ab5969fce55dd5b906cdd893e13fc1052a0c89a9daadb70e2b8868fdb5410fbd91a564af2a97d043c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qx:CcaClSFlG4ZM7QzMS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

3744 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

3744 svchcst.exe
2332 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3744	svchcst.exe

pid	process
3744	svchcst.exe
2332	svchcst.exe

Modifies registry class 3 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exesvchcst.exe

pid	process
764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe
3744	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe

pid process

764 8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exesvchcst.exesvchcst.exe

pid	process
764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
3744	svchcst.exe
3744	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exeWScript.exeWScript.exe

description	pid	process	target process
PID 764 wrote to memory of 1412	764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 764 wrote to memory of 1412	764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 764 wrote to memory of 1412	764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 764 wrote to memory of 4320	764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 764 wrote to memory of 4320	764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 764 wrote to memory of 4320	764	8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe	WScript.exe
PID 4320 wrote to memory of 3744	4320	WScript.exe	svchcst.exe
PID 4320 wrote to memory of 3744	4320	WScript.exe	svchcst.exe
PID 4320 wrote to memory of 3744	4320	WScript.exe	svchcst.exe
PID 1412 wrote to memory of 2332	1412	WScript.exe	svchcst.exe
PID 1412 wrote to memory of 2332	1412	WScript.exe	svchcst.exe
PID 1412 wrote to memory of 2332	1412	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe
"C:\Users\Admin\AppData\Local\Temp\8cdc946be9b67d4832de46b74a39e5da3f91dd39144f26fa66312e1946284c0d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
2232981953dc22ead9965961a88b4242

SHA1
3ba89bf8a62748d599bd77544189f9f34bbbd173

SHA256
515542fe08ba478ca7f842d180582f2c3e95c76576d6007c24f03fa6fdf8a53d

SHA512
c83b077e7c2ce5b15271d29f2414c496d6cb2555debfb962bbb8f31a86c9f81265d9650a393fc3c242bfc739a892b5724ea256d69fd7530664fe30a7410c9829

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
d85cef24d91b0083bacc35e7645369b4

SHA1
509f886083f00c96912630a345819120caa91415

SHA256
16de69d8316c5cf5f00adc327defc3c042e0677fe6185752f2678095b5c5eb3c

SHA512
09edce46062f1a85f498d82ccfa4f7971cc6bf667c8a5729139f848b72d51a0fb489400b9708ea39b303e3783fa80e7eea139ac8d9ed4137f496524e962e2f23

Download Submit
memory/764-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads