9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
Size

1.1MB
MD5

3fa648098db9fb665e5f3548b6620ca4
SHA1

e5dfd4dbf53dd2ed63622445df92fab0618e859e
SHA256

9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719
SHA512

ec486c02c35523187f990ade82f882713dee24e83f77d4644f09c3def68e1528ff9632cf7328069a6906b6ac98339940b1c8d3709f7dc826fa64a6411305c96a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QX:CcaClSFlG4ZM7QzMw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
1152	svchcst.exe

Executes dropped EXE 6 IoCs

pid	Process
1152	svchcst.exe
3120	svchcst.exe
3228	svchcst.exe
956	svchcst.exe
2944	svchcst.exe
1940	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
1152	svchcst.exe
1152	svchcst.exe
3120	svchcst.exe
3120	svchcst.exe
3228	svchcst.exe
3228	svchcst.exe
956	svchcst.exe
956	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 1624	636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe	83
PID 636 wrote to memory of 1624	636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe	83
PID 636 wrote to memory of 1624	636	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe	83
PID 1624 wrote to memory of 1152	1624	WScript.exe	95
PID 1624 wrote to memory of 1152	1624	WScript.exe	95
PID 1624 wrote to memory of 1152	1624	WScript.exe	95
PID 1152 wrote to memory of 1196	1152	svchcst.exe	98
PID 1152 wrote to memory of 1196	1152	svchcst.exe	98
PID 1152 wrote to memory of 1196	1152	svchcst.exe	98
PID 1196 wrote to memory of 3120	1196	WScript.exe	99
PID 1196 wrote to memory of 3120	1196	WScript.exe	99
PID 1196 wrote to memory of 3120	1196	WScript.exe	99
PID 3120 wrote to memory of 1964	3120	svchcst.exe	100
PID 3120 wrote to memory of 1964	3120	svchcst.exe	100
PID 3120 wrote to memory of 1964	3120	svchcst.exe	100
PID 3120 wrote to memory of 4440	3120	svchcst.exe	101
PID 3120 wrote to memory of 4440	3120	svchcst.exe	101
PID 3120 wrote to memory of 4440	3120	svchcst.exe	101
PID 4440 wrote to memory of 3228	4440	WScript.exe	102
PID 4440 wrote to memory of 3228	4440	WScript.exe	102
PID 4440 wrote to memory of 3228	4440	WScript.exe	102
PID 3228 wrote to memory of 4080	3228	svchcst.exe	103
PID 3228 wrote to memory of 4080	3228	svchcst.exe	103
PID 3228 wrote to memory of 4080	3228	svchcst.exe	103
PID 3228 wrote to memory of 4892	3228	svchcst.exe	104
PID 3228 wrote to memory of 4892	3228	svchcst.exe	104
PID 3228 wrote to memory of 4892	3228	svchcst.exe	104
PID 4892 wrote to memory of 956	4892	WScript.exe	105
PID 4892 wrote to memory of 956	4892	WScript.exe	105
PID 4892 wrote to memory of 956	4892	WScript.exe	105
PID 956 wrote to memory of 4844	956	svchcst.exe	106
PID 956 wrote to memory of 4844	956	svchcst.exe	106
PID 956 wrote to memory of 4844	956	svchcst.exe	106
PID 956 wrote to memory of 468	956	svchcst.exe	107
PID 956 wrote to memory of 468	956	svchcst.exe	107
PID 956 wrote to memory of 468	956	svchcst.exe	107
PID 468 wrote to memory of 2944	468	WScript.exe	109
PID 468 wrote to memory of 2944	468	WScript.exe	109
PID 468 wrote to memory of 2944	468	WScript.exe	109
PID 4844 wrote to memory of 1940	4844	WScript.exe	110
PID 4844 wrote to memory of 1940	4844	WScript.exe	110
PID 4844 wrote to memory of 1940	4844	WScript.exe	110

C:\Users\Admin\AppData\Local\Temp\9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
"C:\Users\Admin\AppData\Local\Temp\9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
52b34b79b764a94de7da64202b7b754b

SHA1
6d04708d72454dcf43b4adb2e6a7ce2bb7c463a6

SHA256
fcb36eb0ef777dff751e231a72ea78afe9cad7f6978171cc24492fe81b62620a

SHA512
d9ec10ee29f3c14c01b7c7596aeff1458cff42e674f37cd75481e115bd1faf639f9ce21d97b52b76a1b5490edd8a2b7f9e38d29a1b69c7c8d80f503bdad713ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee2f1fda88e9ce7ff3cafefe2cdc1fd5

SHA1
8b4004f702c78f17aa1a683a98f2f7023c39c212

SHA256
7e3c2917b0d4e73401cdab5888b15cc411569caf6bc3b07485e5c55e18c818ec

SHA512
c21267038f40699fd2696932159f9986249b9d3323066378ef74a389a77c58389c9070116566005b438229909ba1e5f03b5532f312809b317db701403355ed96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5198e3df305d5dbbb904d1a466df868b

SHA1
f92c9c1406178000c536c805db552257d33e747e

SHA256
a9d3af1e30a9a170ac8a23a3fd40956d5786b3ecdb0aaefeb326057594f0609f

SHA512
dfe4f066b902eacfb63f197fe2bada7cd706e6c4803c0da7886605bfe57a4d880603359fa73210db521cdc64bc0e08d9160be5bd0f8d1f70de67832044fdff72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
890e9220417406b57282c8d6a315e99d

SHA1
8847a5705a6a563095cbefc6aa82e11f58834366

SHA256
67ceb5e7dc5f51d9b5acf5b862eac91df628139cb9c1a9bbf2505f352693637d

SHA512
d93ee2a1358f2eea3305b5b0eaecc80fa5e58b9dce50bdfa7cf4214d3e030d9bd7fc3515e7dcc5d5056fb5f8e9681b05dfad13e805a564a5a3c7c3d322bb15ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dc65f32d2202680c2432d4daf009337d

SHA1
2c86cf027618fa784002ffa129b26b88049a93ed

SHA256
fb882f771ecc254c016be02847130dfc9ee90ca90a36803b8e32ef1ddd8dc04a

SHA512
9b5f76e0a2ecbf16e1e769b58c490231d7a1f5729b25bbf4ef30e8d86b3bcfde70e47b75d106b02e85b48b36aecd8dff9bfeddc6aa1e0c6241105a562bc53bd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ebfea4c60cdcc08e95099fe806da9e27

SHA1
142e6aebf9d2d17d5c840b3dfd7fc6255c173cc5

SHA256
6d16956e45ca62c5f2b8533ecbe9b2ef465e8e8a48437964515b8fb83670df0c

SHA512
16dc2add0f832cc3c59f03e8bc852c1cbd7393887a7c5eadeb55b6b871149e028246c9ba5d13439bbce08628d98126ee651f92352d863f0e73115f2d602be3be

Download Submit
memory/636-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download