362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d

Analysis

max time kernel
129s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe
Size

1.1MB
MD5

c87cf4fa1351ace7a8a1051c08cba053
SHA1

a9a54dc04ad5627370e6cab2c5d87dd6a6451bac
SHA256

362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d
SHA512

b334e1cbc71155538925d1362952936aefda0867ecae0f508f17706c2538ebba0b17a5e750761d1d61de4fe96ba189e7e5e642ff15436768d609ec42a975351a
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qo:acallSllG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1248	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1248	svchcst.exe
2448	svchcst.exe
3828	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe
1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe
1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe
1248	svchcst.exe
1248	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
3828	svchcst.exe
3828	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1240	1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe	83
PID 1824 wrote to memory of 1240	1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe	83
PID 1824 wrote to memory of 1240	1824	362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe	83
PID 1240 wrote to memory of 1248	1240	WScript.exe	95
PID 1240 wrote to memory of 1248	1240	WScript.exe	95
PID 1240 wrote to memory of 1248	1240	WScript.exe	95
PID 1248 wrote to memory of 3776	1248	svchcst.exe	97
PID 1248 wrote to memory of 3776	1248	svchcst.exe	97
PID 1248 wrote to memory of 3776	1248	svchcst.exe	97
PID 1248 wrote to memory of 2096	1248	svchcst.exe	96
PID 1248 wrote to memory of 2096	1248	svchcst.exe	96
PID 1248 wrote to memory of 2096	1248	svchcst.exe	96
PID 3776 wrote to memory of 2448	3776	WScript.exe	100
PID 3776 wrote to memory of 2448	3776	WScript.exe	100
PID 3776 wrote to memory of 2448	3776	WScript.exe	100
PID 2096 wrote to memory of 3828	2096	WScript.exe	101
PID 2096 wrote to memory of 3828	2096	WScript.exe	101
PID 2096 wrote to memory of 3828	2096	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe
"C:\Users\Admin\AppData\Local\Temp\362a901e9bc4f9b5e8bf52abda47c056f13e7c4c591ddb0097a014909cbadc5d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8ba8e317a58afb9aae89accf84873abb

SHA1
06e55a7ca40e6e2be34e2ddd1d03e6bfb0faba53

SHA256
388e7cdb421ad145bbd9808e6a6e1a8ee575b28d755f52840b754255f9a98b7d

SHA512
7ed1763963864e040db83adcd05c20f2685d6c6d4c6f61f80537335d5a5747865d7661c9e07d5fa9f159a77358324eaaa116132711f0982d9cd4b75499b4fb1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b102d5dd91abddb9857b10a18bd79e98

SHA1
07bbdc03258234b54af1470a85faa320a57063cf

SHA256
db40c4685c3d065edf67045405b4a5711695e20a0feeac0f73dfe1bcf6078782

SHA512
599e651ecf7c5ff7715a88d76ecda54a23b5994091a4ccb40c9741036b57ffb0030a2ca100a3b06a7ea59cb26b40aecb3c694e0aeb660d86f05f53b7971d292b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0380175d54f1169aded3892edaa3cf7a

SHA1
8d0f72271b664f5c993fafff559d586a3a677f59

SHA256
4d019e4b7e0946a44c86f71c53a87cfb4eaec01e6d58396fd09b2afc0d5d3929

SHA512
c0ae0429999b22ebe60984b3a42f5705f29a34ef17a6e55e6b88d8cf4f27d410e7036d10811bebd2710de4e34227bd146c066b5d3cf6a3053c2e14f06040ba12

Download Submit
memory/1248-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1824-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1824-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3828-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3828-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download