776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75

General

Target

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
Size

1.1MB
MD5

bcc1408f17087c9c00be3c7dc221dff5
SHA1

52201f0da3953011b7908e611ec7a41be29f0890
SHA256

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75
SHA512

65e16e94ad90830e6a2fa9be3d2c6794ccda1b8bc3f4650fd44e5327c6e8aa3da7ba21fe04594a05c7253738bc6f52221a35bda55a364f5e52d26a49a2ed09c3
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzMk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exeWScript.exe776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1168 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

1168 svchcst.exe
2836 svchcst.exe
3796 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1168	svchcst.exe

pid	process
1168	svchcst.exe
2836	svchcst.exe
3796	svchcst.exe

Modifies registry class 5 IoCs

Processes:

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exesvchcst.exe

pid	process
4352	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
4352	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe

pid process

4352 776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
4352	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
4352	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
1168	svchcst.exe
1168	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 4352 wrote to memory of 688	4352	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe	WScript.exe
PID 4352 wrote to memory of 688	4352	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe	WScript.exe
PID 4352 wrote to memory of 688	4352	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe	WScript.exe
PID 688 wrote to memory of 1168	688	WScript.exe	svchcst.exe
PID 688 wrote to memory of 1168	688	WScript.exe	svchcst.exe
PID 688 wrote to memory of 1168	688	WScript.exe	svchcst.exe
PID 1168 wrote to memory of 1512	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 1512	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 1512	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 4720	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 4720	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 4720	1168	svchcst.exe	WScript.exe
PID 1512 wrote to memory of 2836	1512	WScript.exe	svchcst.exe
PID 1512 wrote to memory of 2836	1512	WScript.exe	svchcst.exe
PID 1512 wrote to memory of 2836	1512	WScript.exe	svchcst.exe
PID 4720 wrote to memory of 3796	4720	WScript.exe	svchcst.exe
PID 4720 wrote to memory of 3796	4720	WScript.exe	svchcst.exe
PID 4720 wrote to memory of 3796	4720	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
"C:\Users\Admin\AppData\Local\Temp\776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
b30e3cdc933f2c50e22656f6aa204a4b

SHA1
091a0f0d6b32aaaa2d16cae1a5053ddcbe6866a7

SHA256
bf93ec867a64fb218d4da06aefc3fd965524a633f940bbe2c9ceb95b075b28c0

SHA512
ac46b081c50567ee2ad03ac63a7178dfeb3dbd05957e1b828e74c07735fa0f06d4baa97713b07e6f261fe9d064dbcb921074b7aac89c37ac9ef5265a3b720833

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
d145449e3306c13d161ed0ed4dac1cc9

SHA1
62248f400b5c6e14cc297256bc237cb2fab2391e

SHA256
ff71cd2d8af93d83dca130368d7432f5c2f50998a92c20cabe8d629d745f186f

SHA512
2f763530eb02126b3e2e4cff548ec00c80082dafe629677049eb56d6329c841a37509239e7904ee0e0e7223afb05b2e3f9aedba7dc3a13aeeb0f1b12a0b8aae9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
626e475e3c4602daf3163a353d3b3708

SHA1
f5a34b5ec782d9e2d157979c22954adfff17e9c0

SHA256
581ef9c48edf443af6a466c5a9dced343f66784c2c9361128684211be596a36b

SHA512
fc7784353786b129eef0622803b98dae79249d7423b2a6dad7206f6c2a3d009d62ff82b2fbbca8b314f3b5466e5f8b358f2b49dc3347ef0e10c74c0ed49d5d54

Download Submit
memory/4352-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads