63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048

General

Target

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
Size

1.1MB
MD5

7c6a9f2272627735bed8733b41883e68
SHA1

59bc71e40b4f1c4bda641b75e67108903d712244
SHA256

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048
SHA512

47a5528a26d7b8075687517066673345ddc6c567b1022f28e988c14f91527077ba951b6f131e8287a0733f72f9a8d5d9f739518d9c0fd7cdc25006b2bdd0a84c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

3792 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

3792 svchcst.exe
1452 svchcst.exe
396 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3792	svchcst.exe

pid	process
3792	svchcst.exe
1452	svchcst.exe
396	svchcst.exe

Modifies registry class 5 IoCs

Processes:

WScript.exeWScript.exe63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exeWScript.exesvchcst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exesvchcst.exe

pid	process
3680	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
3680	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe

pid process

3680 63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
3680	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
3680	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
3792	svchcst.exe
3792	svchcst.exe
1452	svchcst.exe
396	svchcst.exe
396	svchcst.exe
1452	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 3680 wrote to memory of 1588	3680	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe	WScript.exe
PID 3680 wrote to memory of 1588	3680	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe	WScript.exe
PID 3680 wrote to memory of 1588	3680	63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe	WScript.exe
PID 1588 wrote to memory of 3792	1588	WScript.exe	svchcst.exe
PID 1588 wrote to memory of 3792	1588	WScript.exe	svchcst.exe
PID 1588 wrote to memory of 3792	1588	WScript.exe	svchcst.exe
PID 3792 wrote to memory of 3700	3792	svchcst.exe	WScript.exe
PID 3792 wrote to memory of 3700	3792	svchcst.exe	WScript.exe
PID 3792 wrote to memory of 3700	3792	svchcst.exe	WScript.exe
PID 3792 wrote to memory of 5028	3792	svchcst.exe	WScript.exe
PID 3792 wrote to memory of 5028	3792	svchcst.exe	WScript.exe
PID 3792 wrote to memory of 5028	3792	svchcst.exe	WScript.exe
PID 3700 wrote to memory of 1452	3700	WScript.exe	svchcst.exe
PID 3700 wrote to memory of 1452	3700	WScript.exe	svchcst.exe
PID 3700 wrote to memory of 1452	3700	WScript.exe	svchcst.exe
PID 5028 wrote to memory of 396	5028	WScript.exe	svchcst.exe
PID 5028 wrote to memory of 396	5028	WScript.exe	svchcst.exe
PID 5028 wrote to memory of 396	5028	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe
"C:\Users\Admin\AppData\Local\Temp\63b25ef758719f67eecd0c7b3d7cfaff7a4b8bc23d611769adb825c6f042a048.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
14967aa9c40b54f9102b1038ebad1b93

SHA1
5489c7748746bae13b6735da46acfdce769092c3

SHA256
465a87cce140f4ac2059fabb75e5c8d48dd36d62aeb7d2f4b887b942b2010c64

SHA512
b61b1fdf128ade698228ca69c091485f3c73d461d99725a7efc50db1551f2afc2ab8ec40fdd493d45a9cd5ab925a48b3a2a13d40d24ac37776cc5b55fe864430

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
f268d500a9f68c339adf73b9d33c0bc4

SHA1
4349d35f44ce8f906a62bb70a62440855377601e

SHA256
5ad7f857103de0f878b2bb6e3a5fe8694a6dfed5beb12758acd72ec84f70e53b

SHA512
cc0914f2dcf47e9ee749d710b58f301c6a97cf24cbc98f78203654f87e18fadfbecc44b9ec45674fee9e0eb882547800ebcf54eb2672df41ec5e5c922aa1496b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
bf78504cf7d4d8d04b5a65c4fa2b5b68

SHA1
f84c8d289c007c3b7acb3f4214413c4b1e5b53fc

SHA256
5c0f6c97df1ecb5efc63ee8f47d17748915c4b4ffd479af327b651ea7caf17e6

SHA512
ea43d27ebdd978c5e209daba18f9783dd441d6b528655f27bbe7c0d3bd5dc897285e6a88fa18a202eed0f335f99323789f142bc1d7e28376b6e6b69fa8b18e77

Download Submit
memory/3680-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads