79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1

General

Target

79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
Size

1.1MB
MD5

083d39a50a9fd00ea942f913e008269e
SHA1

c6c6a74c78af56865b7bc97f55e759dbb710d979
SHA256

79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1
SHA512

79a2820d308e0213b7c0339fde3dcfaeb63e9ce161fd3aa1da726bb2d4b3e6cd62c1ab737574875bb33ef58d48eefd63de5fa5392c1eb701eea5e6fd33ea4126
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QY:CcaClSFlG4ZM7QzM/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

4976 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

1528 svchcst.exe
4976 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4976	svchcst.exe

pid	process
1528	svchcst.exe
4976	svchcst.exe

Modifies registry class 3 IoCs

Processes:

WScript.exe79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exesvchcst.exe

pid	process
3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe
4976	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe

pid process

3180 79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exesvchcst.exesvchcst.exe

pid	process
3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
4976	svchcst.exe
4976	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exeWScript.exeWScript.exe

description	pid	process	target process
PID 3180 wrote to memory of 3852	3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe	WScript.exe
PID 3180 wrote to memory of 3852	3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe	WScript.exe
PID 3180 wrote to memory of 3852	3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe	WScript.exe
PID 3180 wrote to memory of 5048	3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe	WScript.exe
PID 3180 wrote to memory of 5048	3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe	WScript.exe
PID 3180 wrote to memory of 5048	3180	79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe	WScript.exe
PID 3852 wrote to memory of 1528	3852	WScript.exe	svchcst.exe
PID 3852 wrote to memory of 1528	3852	WScript.exe	svchcst.exe
PID 3852 wrote to memory of 1528	3852	WScript.exe	svchcst.exe
PID 5048 wrote to memory of 4976	5048	WScript.exe	svchcst.exe
PID 5048 wrote to memory of 4976	5048	WScript.exe	svchcst.exe
PID 5048 wrote to memory of 4976	5048	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe
"C:\Users\Admin\AppData\Local\Temp\79157c6ce4c65e7877dcc85ddc01e5942127487d8bd6789ee14de386e233f8e1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
7125ae27ab12378c9ed0d4c50b9f29ce

SHA1
fa6df90474b53513f5e150ee69bc4b7a0fd00e29

SHA256
e60a72f3930ed528c80f820eaf1bd2040e574a1341c95ad6d88e5b4b0a2b52d6

SHA512
8e13352491511616484c90075c4dc18d55574158c61409e85bcb9c011367de1fdb1d05df4719d52cbed75cda6fce7d0d99c7f282bdb93e36fe14ec66aadf1142

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
9e0eb2c4a2d1789714b12c37f4e99ed3

SHA1
0a163e624bedc49b78d5d9b31d63d8df7e391f0b

SHA256
7efb48d89bd4247017f6c5377f49b6d97a376d874c93d9f3b906dd887eea4de6

SHA512
6e1a00135396f665fcb1e913f9a12cd222608d3e38409a78d6fea18b623065f5348539faba406bbc06593233f3bf6704bdf82f31988131107a865f7e4cb3d030

Download Submit
memory/3180-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads