Analysis

  • max time kernel
    135s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 02:20

General

  • Target

    63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe

  • Size

    1.1MB

  • MD5

    7c6a9f2272627735bed8733b41883e68

  • SHA1

    59bc71e40b4f1c4bda641b75e67108903d712244

  • SHA256

    63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048

  • SHA512

    47a5528a26d7b8075687517066673345ddc6c567b1022f28e988c14f91527077ba951b6f131e8287a0733f72f9a8d5d9f739518d9c0fd7cdc25006b2bdd0a84c

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMf

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
    "C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3792
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3700
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1452
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    5f762b3b2477d92959f29d768008d453

    SHA1

    ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

    SHA256

    5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

    SHA512

    fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    14967aa9c40b54f9102b1038ebad1b93

    SHA1

    5489c7748746bae13b6735da46acfdce769092c3

    SHA256

    465a87cce140f4ac2059fabb75e5c8d48dd36d62aeb7d2f4b887b942b2010c64

    SHA512

    b61b1fdf128ade698228ca69c091485f3c73d461d99725a7efc50db1551f2afc2ab8ec40fdd493d45a9cd5ab925a48b3a2a13d40d24ac37776cc5b55fe864430

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    f268d500a9f68c339adf73b9d33c0bc4

    SHA1

    4349d35f44ce8f906a62bb70a62440855377601e

    SHA256

    5ad7f857103de0f878b2bb6e3a5fe8694a6dfed5beb12758acd72ec84f70e53b

    SHA512

    cc0914f2dcf47e9ee749d710b58f301c6a97cf24cbc98f78203654f87e18fadfbecc44b9ec45674fee9e0eb882547800ebcf54eb2672df41ec5e5c922aa1496b

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    bf78504cf7d4d8d04b5a65c4fa2b5b68

    SHA1

    f84c8d289c007c3b7acb3f4214413c4b1e5b53fc

    SHA256

    5c0f6c97df1ecb5efc63ee8f47d17748915c4b4ffd479af327b651ea7caf17e6

    SHA512

    ea43d27ebdd978c5e209daba18f9783dd441d6b528655f27bbe7c0d3bd5dc897285e6a88fa18a202eed0f335f99323789f142bc1d7e28376b6e6b69fa8b18e77

  • memory/3680-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB