Analysis
-
max time kernel
135s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 02:20
Static task
static1
Behavioral task
behavioral1
Sample
63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
Resource
win10v2004-20240426-en
General
-
Target
63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
-
Size
1.1MB
-
MD5
7c6a9f2272627735bed8733b41883e68
-
SHA1
59bc71e40b4f1c4bda641b75e67108903d712244
-
SHA256
63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048
-
SHA512
47a5528a26d7b8075687517066673345ddc6c567b1022f28e988c14f91527077ba951b6f131e8287a0733f72f9a8d5d9f739518d9c0fd7cdc25006b2bdd0a84c
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMf
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 3792 svchcst.exe -
Executes dropped EXE 3 IoCs
pid Process 3792 svchcst.exe 1452 svchcst.exe 396 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings svchcst.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe 3792 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe 3792 svchcst.exe 3792 svchcst.exe 1452 svchcst.exe 396 svchcst.exe 396 svchcst.exe 1452 svchcst.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3680 wrote to memory of 1588 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe 83 PID 3680 wrote to memory of 1588 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe 83 PID 3680 wrote to memory of 1588 3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe 83 PID 1588 wrote to memory of 3792 1588 WScript.exe 93 PID 1588 wrote to memory of 3792 1588 WScript.exe 93 PID 1588 wrote to memory of 3792 1588 WScript.exe 93 PID 3792 wrote to memory of 3700 3792 svchcst.exe 94 PID 3792 wrote to memory of 3700 3792 svchcst.exe 94 PID 3792 wrote to memory of 3700 3792 svchcst.exe 94 PID 3792 wrote to memory of 5028 3792 svchcst.exe 95 PID 3792 wrote to memory of 5028 3792 svchcst.exe 95 PID 3792 wrote to memory of 5028 3792 svchcst.exe 95 PID 3700 wrote to memory of 1452 3700 WScript.exe 99 PID 3700 wrote to memory of 1452 3700 WScript.exe 99 PID 3700 wrote to memory of 1452 3700 WScript.exe 99 PID 5028 wrote to memory of 396 5028 WScript.exe 100 PID 5028 wrote to memory of 396 5028 WScript.exe 100 PID 5028 wrote to memory of 396 5028 WScript.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe"C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:396
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
696B
MD55f762b3b2477d92959f29d768008d453
SHA1ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97
SHA2565827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5
SHA512fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420
-
Filesize
753B
MD514967aa9c40b54f9102b1038ebad1b93
SHA15489c7748746bae13b6735da46acfdce769092c3
SHA256465a87cce140f4ac2059fabb75e5c8d48dd36d62aeb7d2f4b887b942b2010c64
SHA512b61b1fdf128ade698228ca69c091485f3c73d461d99725a7efc50db1551f2afc2ab8ec40fdd493d45a9cd5ab925a48b3a2a13d40d24ac37776cc5b55fe864430
-
Filesize
1.1MB
MD5f268d500a9f68c339adf73b9d33c0bc4
SHA14349d35f44ce8f906a62bb70a62440855377601e
SHA2565ad7f857103de0f878b2bb6e3a5fe8694a6dfed5beb12758acd72ec84f70e53b
SHA512cc0914f2dcf47e9ee749d710b58f301c6a97cf24cbc98f78203654f87e18fadfbecc44b9ec45674fee9e0eb882547800ebcf54eb2672df41ec5e5c922aa1496b
-
Filesize
1.1MB
MD5bf78504cf7d4d8d04b5a65c4fa2b5b68
SHA1f84c8d289c007c3b7acb3f4214413c4b1e5b53fc
SHA2565c0f6c97df1ecb5efc63ee8f47d17748915c4b4ffd479af327b651ea7caf17e6
SHA512ea43d27ebdd978c5e209daba18f9783dd441d6b528655f27bbe7c0d3bd5dc897285e6a88fa18a202eed0f335f99323789f142bc1d7e28376b6e6b69fa8b18e77