d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb

Analysis

max time kernel
130s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe
Size

1.1MB
MD5

bc4f9d8abb00891a9581a326afcd7099
SHA1

a8358da5386aee4121a52ecc4db4c3487964e922
SHA256

d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb
SHA512

2a31281c0074732478eaa5c81dfa7fa4c8e4a7fdecbba92227a03bfde3b56fb002a3d6269dc0eee77b0b08d415ba3a5bb22c84823be1c5e931a7f78f435e987d
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qh:CcaClSFlG4ZM7QzMS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe

Deletes itself 1 IoCs

pid	Process
1060	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1060	svchcst.exe
3404	svchcst.exe
4224	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe
4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe
4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe
1060	svchcst.exe
1060	svchcst.exe
3404	svchcst.exe
3404	svchcst.exe
4224	svchcst.exe
4224	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 1520	4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe	83
PID 4592 wrote to memory of 1520	4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe	83
PID 4592 wrote to memory of 1520	4592	d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe	83
PID 1520 wrote to memory of 1060	1520	WScript.exe	94
PID 1520 wrote to memory of 1060	1520	WScript.exe	94
PID 1520 wrote to memory of 1060	1520	WScript.exe	94
PID 1060 wrote to memory of 5000	1060	svchcst.exe	95
PID 1060 wrote to memory of 5000	1060	svchcst.exe	95
PID 1060 wrote to memory of 5000	1060	svchcst.exe	95
PID 1060 wrote to memory of 4060	1060	svchcst.exe	96
PID 1060 wrote to memory of 4060	1060	svchcst.exe	96
PID 1060 wrote to memory of 4060	1060	svchcst.exe	96
PID 4060 wrote to memory of 3404	4060	WScript.exe	99
PID 4060 wrote to memory of 3404	4060	WScript.exe	99
PID 4060 wrote to memory of 3404	4060	WScript.exe	99
PID 5000 wrote to memory of 4224	5000	WScript.exe	100
PID 5000 wrote to memory of 4224	5000	WScript.exe	100
PID 5000 wrote to memory of 4224	5000	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe
"C:\Users\Admin\AppData\Local\Temp\d711e8b6723dd65ee2adefaa827d6ee4eeaa5a07c6c5274518e62ed86a19adeb.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4224
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
068b271255ffcaa101dc281613628102

SHA1
b81583b284882d31b1f14315c1a73831f9052563

SHA256
da5d99b49e8f1407b702ef1122ec7c634eb388e645e67bdce3968712cd3ad7d6

SHA512
69bf0be77022b3f3b4529a83ec80d31e275c18919f354644d79e60761a3f1dc28529e72a3f03cc22f86ebccad496b807ae5c2d11dd57afd2b1cb135484224965

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
05a5928893c4590922b6f2f012200b32

SHA1
2b256b8ab38a43c51d2d2ff4be7405c2d5d93fc3

SHA256
3d06acc69a4230f4c89fd72789517e09fd161483deda1c7a6353a83d1f8e5eb5

SHA512
3e465f83422563183ab9995a7c7d80f7fccb37dfa887cc86e3b0c6fa05b4dafc6ed6ab5e0f3572bc66dd28843c591d72da969f0238e7312c19c6044443e86188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
073b681a1c3b7e286fe2e2117933cca3

SHA1
7986338438d22ec284d05c5a37f741775962a707

SHA256
9f17cab4bc7794d2324db4887c686d6474288fbb6b48b3176d1af60fe2632d96

SHA512
bcebdee7321737f8304422194399ae89a8ce12a76106815432d98e4be47b77a60989548082cf0d10ef3103e524e3d842088ef43fb4d390d739095b4b061a60bf

Download Submit
memory/4592-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download