6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 21:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
Size

1.1MB
MD5

7e81a9cd62cf4f99e0a3c7332bc789a6
SHA1

d062d8499d6a59864f1b26b151a5af94db5cc523
SHA256

6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660
SHA512

3fbdaf0955cee5adc6793ac1a7ca7fe7197f3a8560015e92aba057987dd8e2abd8118b4f6805957ba1a750a254f4bd3684ae2f4413c1414b2c19fb9021cb7db8
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qy:CcaClSFlG4ZM7QzMR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3176	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
3176	svchcst.exe
4328	svchcst.exe
864	svchcst.exe
1300	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe
3176	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
3176	svchcst.exe
3176	svchcst.exe
4328	svchcst.exe
4328	svchcst.exe
864	svchcst.exe
1300	svchcst.exe
864	svchcst.exe
1300	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4056	2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe	82
PID 2444 wrote to memory of 4056	2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe	82
PID 2444 wrote to memory of 4056	2444	6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe	82
PID 4056 wrote to memory of 3176	4056	WScript.exe	94
PID 4056 wrote to memory of 3176	4056	WScript.exe	94
PID 4056 wrote to memory of 3176	4056	WScript.exe	94
PID 3176 wrote to memory of 2476	3176	svchcst.exe	95
PID 3176 wrote to memory of 2476	3176	svchcst.exe	95
PID 3176 wrote to memory of 2476	3176	svchcst.exe	95
PID 3176 wrote to memory of 3236	3176	svchcst.exe	96
PID 3176 wrote to memory of 3236	3176	svchcst.exe	96
PID 3176 wrote to memory of 3236	3176	svchcst.exe	96
PID 2476 wrote to memory of 4328	2476	WScript.exe	99
PID 2476 wrote to memory of 4328	2476	WScript.exe	99
PID 2476 wrote to memory of 4328	2476	WScript.exe	99
PID 4328 wrote to memory of 1708	4328	svchcst.exe	100
PID 4328 wrote to memory of 1708	4328	svchcst.exe	100
PID 4328 wrote to memory of 1708	4328	svchcst.exe	100
PID 4328 wrote to memory of 1196	4328	svchcst.exe	101
PID 4328 wrote to memory of 1196	4328	svchcst.exe	101
PID 4328 wrote to memory of 1196	4328	svchcst.exe	101
PID 1708 wrote to memory of 864	1708	WScript.exe	102
PID 1708 wrote to memory of 864	1708	WScript.exe	102
PID 1708 wrote to memory of 864	1708	WScript.exe	102
PID 1196 wrote to memory of 1300	1196	WScript.exe	103
PID 1196 wrote to memory of 1300	1196	WScript.exe	103
PID 1196 wrote to memory of 1300	1196	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe
"C:\Users\Admin\AppData\Local\Temp\6fc81134bdc16bd0dabd6e04be385f477d961f6487adaa69e187f57dfaeb3660.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:864
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
17565987fa5b3100b6d35bed261dd04c

SHA1
0496704dc219d6c13c29cbe47e99bb1cf992a115

SHA256
af572fa66766766c54e9fe64533ed8c25aa1bba744740b8a9199279d22397c50

SHA512
5c03cf2ea61d96e6ff40dd39382d4ca130e2ace399b5a1175d71261e7b7f91e3ac0bd32d6673eb2efab58496799af332e4a1ab56cdf5ba8e0f5c7e3577c710d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f7c6ebe53a7ab6f394df4f8a08d5b15d

SHA1
92c27877ae811c609c4fff30206eed087955100c

SHA256
e441df318dbdf690a52c6b7d5e8e5eb2c40417d7e7ce1e24186f83ec7fd01a45

SHA512
1018560156974f91aefe268c46167b4335213a986e4e401abbe0a66c8a8d45d80187de0286593e3e8b92efaa61e384db338b03ec3ee967d24bd2cb19ea05fd23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fddecc386097f3af936b33a96ebd1a2c

SHA1
d1fd49f864901a7f827ed0b9bc4f23b46cac7ad1

SHA256
1dbec1f84c913443090f70516ba0d287132ef653261e40dc3af987f6bd849fcd

SHA512
c03984174c96e2c5528400f7abe2c7cfd1717eca520430f773a832d5f38a058d22abd05f5f4a66f51ec36f9549b04326024b4f8610d659c28b355c1085172733

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
38748d0e450d1bf2b1d200fbb45e1d97

SHA1
24fbf77a3def7b1c3c9d50dfd19a9c50f49e1702

SHA256
8db79c23b42f0eaedd2c78711c240abb5c6313a2cff17bcd5a21f92d49e6a84f

SHA512
a8f3ceee4ebb48ac53c5bddcea9485b4e0ffb1e5a4be86130f265a308cf866e07d8b6f68e95715db6806c376e944f5520d198177ba1a94179f66d6b60b54f071

Download Submit
memory/2444-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download