63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
Size

1.1MB
MD5

7c6a9f2272627735bed8733b41883e68
SHA1

59bc71e40b4f1c4bda641b75e67108903d712244
SHA256

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048
SHA512

47a5528a26d7b8075687517066673345ddc6c567b1022f28e988c14f91527077ba951b6f131e8287a0733f72f9a8d5d9f739518d9c0fd7cdc25006b2bdd0a84c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2544 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2544	svchcst.exe
2836	svchcst.exe
1756	svchcst.exe
1228	svchcst.exe
672	svchcst.exe
2392	svchcst.exe
748	svchcst.exe
2992	svchcst.exe
2688	svchcst.exe
3032	svchcst.exe
2164	svchcst.exe
1148	svchcst.exe
1552	svchcst.exe
3020	svchcst.exe
1860	svchcst.exe
1232	svchcst.exe
2108	svchcst.exe
2112	svchcst.exe
2540	svchcst.exe
2816	svchcst.exe
1628	svchcst.exe
2612	svchcst.exe
588	svchcst.exe

Loads dropped DLL 44 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2712	WScript.exe
2712	WScript.exe
2588	WScript.exe
2588	WScript.exe
2888	WScript.exe
3020	WScript.exe
1200	WScript.exe
1200	WScript.exe
2272	WScript.exe
2272	WScript.exe
1984	WScript.exe
1984	WScript.exe
1276	WScript.exe
1276	WScript.exe
1648	WScript.exe
1648	WScript.exe
2584	WScript.exe
2584	WScript.exe
1956	WScript.exe
1956	WScript.exe
1540	WScript.exe
1540	WScript.exe
1812	WScript.exe
1812	WScript.exe
2972	WScript.exe
2972	WScript.exe
576	WScript.exe
576	WScript.exe
2388	WScript.exe
2388	WScript.exe
3004	WScript.exe
3004	WScript.exe
2992	WScript.exe
2992	WScript.exe
2692	WScript.exe
2692	WScript.exe
2352	WScript.exe
2352	WScript.exe
2708	WScript.exe
2708	WScript.exe
3036	WScript.exe
3036	WScript.exe
2288	WScript.exe
2288	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exesvchcst.exesvchcst.exe

pid	process
2928	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe

pid process

2928 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2928	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
2928	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
2544	svchcst.exe
2544	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe
672	svchcst.exe
672	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
748	svchcst.exe
748	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
1148	svchcst.exe
1148	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2112	svchcst.exe
2112	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
588	svchcst.exe
588	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 2928 wrote to memory of 2712	2928	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe	WScript.exe
PID 2928 wrote to memory of 2712	2928	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe	WScript.exe
PID 2928 wrote to memory of 2712	2928	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe	WScript.exe
PID 2928 wrote to memory of 2712	2928	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe	WScript.exe
PID 2712 wrote to memory of 2544	2712	WScript.exe	svchcst.exe
PID 2712 wrote to memory of 2544	2712	WScript.exe	svchcst.exe
PID 2712 wrote to memory of 2544	2712	WScript.exe	svchcst.exe
PID 2712 wrote to memory of 2544	2712	WScript.exe	svchcst.exe
PID 2544 wrote to memory of 2588	2544	svchcst.exe	WScript.exe
PID 2544 wrote to memory of 2588	2544	svchcst.exe	WScript.exe
PID 2544 wrote to memory of 2588	2544	svchcst.exe	WScript.exe
PID 2544 wrote to memory of 2588	2544	svchcst.exe	WScript.exe
PID 2588 wrote to memory of 2836	2588	WScript.exe	svchcst.exe
PID 2588 wrote to memory of 2836	2588	WScript.exe	svchcst.exe
PID 2588 wrote to memory of 2836	2588	WScript.exe	svchcst.exe
PID 2588 wrote to memory of 2836	2588	WScript.exe	svchcst.exe
PID 2836 wrote to memory of 2888	2836	svchcst.exe	WScript.exe
PID 2836 wrote to memory of 2888	2836	svchcst.exe	WScript.exe
PID 2836 wrote to memory of 2888	2836	svchcst.exe	WScript.exe
PID 2836 wrote to memory of 2888	2836	svchcst.exe	WScript.exe
PID 2888 wrote to memory of 1756	2888	WScript.exe	svchcst.exe
PID 2888 wrote to memory of 1756	2888	WScript.exe	svchcst.exe
PID 2888 wrote to memory of 1756	2888	WScript.exe	svchcst.exe
PID 2888 wrote to memory of 1756	2888	WScript.exe	svchcst.exe
PID 1756 wrote to memory of 3020	1756	svchcst.exe	WScript.exe
PID 1756 wrote to memory of 3020	1756	svchcst.exe	WScript.exe
PID 1756 wrote to memory of 3020	1756	svchcst.exe	WScript.exe
PID 1756 wrote to memory of 3020	1756	svchcst.exe	WScript.exe
PID 3020 wrote to memory of 1228	3020	WScript.exe	svchcst.exe
PID 3020 wrote to memory of 1228	3020	WScript.exe	svchcst.exe
PID 3020 wrote to memory of 1228	3020	WScript.exe	svchcst.exe
PID 3020 wrote to memory of 1228	3020	WScript.exe	svchcst.exe
PID 1228 wrote to memory of 1200	1228	svchcst.exe	WScript.exe
PID 1228 wrote to memory of 1200	1228	svchcst.exe	WScript.exe
PID 1228 wrote to memory of 1200	1228	svchcst.exe	WScript.exe
PID 1228 wrote to memory of 1200	1228	svchcst.exe	WScript.exe
PID 1200 wrote to memory of 672	1200	WScript.exe	svchcst.exe
PID 1200 wrote to memory of 672	1200	WScript.exe	svchcst.exe
PID 1200 wrote to memory of 672	1200	WScript.exe	svchcst.exe
PID 1200 wrote to memory of 672	1200	WScript.exe	svchcst.exe
PID 672 wrote to memory of 2272	672	svchcst.exe	WScript.exe
PID 672 wrote to memory of 2272	672	svchcst.exe	WScript.exe
PID 672 wrote to memory of 2272	672	svchcst.exe	WScript.exe
PID 672 wrote to memory of 2272	672	svchcst.exe	WScript.exe
PID 2272 wrote to memory of 2392	2272	WScript.exe	svchcst.exe
PID 2272 wrote to memory of 2392	2272	WScript.exe	svchcst.exe
PID 2272 wrote to memory of 2392	2272	WScript.exe	svchcst.exe
PID 2272 wrote to memory of 2392	2272	WScript.exe	svchcst.exe
PID 2392 wrote to memory of 1984	2392	svchcst.exe	WScript.exe
PID 2392 wrote to memory of 1984	2392	svchcst.exe	WScript.exe
PID 2392 wrote to memory of 1984	2392	svchcst.exe	WScript.exe
PID 2392 wrote to memory of 1984	2392	svchcst.exe	WScript.exe
PID 1984 wrote to memory of 748	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 748	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 748	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 748	1984	WScript.exe	svchcst.exe
PID 748 wrote to memory of 1276	748	svchcst.exe	WScript.exe
PID 748 wrote to memory of 1276	748	svchcst.exe	WScript.exe
PID 748 wrote to memory of 1276	748	svchcst.exe	WScript.exe
PID 748 wrote to memory of 1276	748	svchcst.exe	WScript.exe
PID 1276 wrote to memory of 2992	1276	WScript.exe	svchcst.exe
PID 1276 wrote to memory of 2992	1276	WScript.exe	svchcst.exe
PID 1276 wrote to memory of 2992	1276	WScript.exe	svchcst.exe
PID 1276 wrote to memory of 2992	1276	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
"C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:1648

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2584

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:1956

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1540

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1812

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:2972

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:576

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2388

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:3004

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2992

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2692

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:2352

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:2708

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:3036

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
- Loads dropped DLL
PID:2288

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
48⤵
PID:1308

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
7dc70018939b91bdb34e9a489eff69ab

SHA1
dd12c68d45f892be95a7308e80f2e9d9d3fd2bff

SHA256
79d12c23e23315f2dd9ed905c0b0ca70987782b84d807886d24fd2c973ee6458

SHA512
532f70e300d17a608602bfec5329e22b5930a8caf845c9d3ef666854f97e868cd59d347d579a144ff302c18f7ac6b39dea8c95da39ad23908269902c4dec5de6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
de02af79f5a883bf672f849e0f5ff149

SHA1
9a7bf2428882efdf21d2cbe8d20c4b408cc8500c

SHA256
fbb3a954eb0fe6352030f20e6916db5fbad990b776824d6485c6d5133a5c0d4d

SHA512
16e7b4c4d0503c4df9141d7764b9f3e3b9efeddf957103040d16a0ed92dd1cb921a88263f5a0a07d9ca564f56bb83f8b6588a20c711b6e6d628993269069d694

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
836f1c4901626b65b004e19a7837186a

SHA1
5f6519ff501abb4f13e74aea4ee0bafbb47a0ee1

SHA256
57ac21d55e62fa285c92627c59349e6c6b168605fa98ce768bee0b16b297b0bc

SHA512
0e2e40aa27c0422edf3b8e6ca22f5f84649dc2c91eb554b1014777efc68d32888e6bf35b28160f9c99cf6ebe972c69f58d9a74c496d4de8f1e80a0822cc40c50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
a1305f774c1b3043dbd9b49e7d6cad0f

SHA1
fcf8fb97afb6a7294e99c27809d98b1441b55970

SHA256
7a88f74a6a04f48285ab3ed4bef7b04692714e8b535503cfacd5593e34b43422

SHA512
aaa2e7ce2ef254e9919f77b0ea0cb59e247f52f96e67206468f7ebddb91dbdd09ff7f997c6f15194861d727eef3ba575d02080533ac7d16275deda8ef7f242be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
678e87811937e09a6ec299028e082f7c

SHA1
8709bafff1c14c4c9d6196c16e12c8cd93962bdb

SHA256
a48937995198409c03258a9bf450cb14448aa5069834711ed180c044e4d12e45

SHA512
8d65a8973273970a4eddeb095d337220a6c61a57dd66df29732b6087195c92374d4b6106670b7914d56e72a00c29fb56192c50a92d27176f1c4b5aa16d220198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
6746450302c0070c3c419f3c1489b92d

SHA1
b871ffc3f8b543bc16468b56994cf38dab795cf0

SHA256
4dd83167f3bcf73756baf95416075e2ee78d36426d8a0a24ff81c70adbcd6652

SHA512
81a97ef88818154683e1f8dd3034dd32b831cd933f5bc01df73dd56755192f6173fd9fa1ec50d9d64c544e745d986e915fe6fafecb59c261d31040bf4d72bfc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
37477a38ff1a22b8cd48c70c6a886360

SHA1
7e7be5e74f9499163a08fc55305f5ccb5ba2630e

SHA256
cc666e348c0300d44c33d0e72052b12c21534ebd238cd79568812ab5b89ec77e

SHA512
bcf1a5c1c9b1a2c15eb095a334ec8406fcdf8b1470cb17a109ca1486c3006ff719588d78484abf393ba6459ad0e27ceb9851b3629a25b8c5e5d287ea286aaeea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
417eba9feaa12889aa30c92913ecaf0c

SHA1
173aecc0497f7840edf436ba9bb50555c5937ed7

SHA256
2ee5ec5fe0e704c4f716982154ab85f6c0986cdb75a0635cda7a19c8cbf6caf7

SHA512
2d3532f4a54ff961e588d6ac005962042c0b82c54169c8571f6f59c609f0d653b70523ee057a33327e70355bbfa2f48c58482def211806253d3cd4e1c401ea75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
5a2a5054c16119e4e76095265191bcf4

SHA1
895bbf500498372b4edf93f9bb8f2df07ff84bd8

SHA256
5aa6f2f6ac94130cc70792c2f8df9831fd82cca208a94e0fdc569c5ef97a98c9

SHA512
04095feb798f5ab4282ce2d06aee3b61cd46f4fc1a3f639f43fa7c833b7d8f916c030da8d133adbf1864bc23c9e3bc5deec15c28b7a2c91d93b5cee6c7f60431

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2928-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads