c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 06:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
Size

1.1MB
MD5

a9dcafae76cc09c9a2a53f4b1d864ead
SHA1

36dbdf388a1215c46d8bd49c8e7d6ac4843bc9d4
SHA256

c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe
SHA512

741089c23b8311356aa2f5cf860aaa284e50957a343e7d09a0d624610186b8299a34d3bda2bb79994d2fd961a53a019a04de1591d0127d6aaba8326ad9798f67
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
4696	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4696	svchcst.exe
1540	svchcst.exe
1796	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe
4696	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
4696	svchcst.exe
4696	svchcst.exe
1540	svchcst.exe
1540	svchcst.exe
1796	svchcst.exe
1796	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4052	1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe	83
PID 1856 wrote to memory of 4052	1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe	83
PID 1856 wrote to memory of 4052	1856	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe	83
PID 4052 wrote to memory of 4696	4052	WScript.exe	91
PID 4052 wrote to memory of 4696	4052	WScript.exe	91
PID 4052 wrote to memory of 4696	4052	WScript.exe	91
PID 4696 wrote to memory of 5016	4696	svchcst.exe	94
PID 4696 wrote to memory of 5016	4696	svchcst.exe	94
PID 4696 wrote to memory of 5016	4696	svchcst.exe	94
PID 4696 wrote to memory of 3140	4696	svchcst.exe	95
PID 4696 wrote to memory of 3140	4696	svchcst.exe	95
PID 4696 wrote to memory of 3140	4696	svchcst.exe	95
PID 3140 wrote to memory of 1540	3140	WScript.exe	96
PID 3140 wrote to memory of 1540	3140	WScript.exe	96
PID 3140 wrote to memory of 1540	3140	WScript.exe	96
PID 5016 wrote to memory of 1796	5016	WScript.exe	97
PID 5016 wrote to memory of 1796	5016	WScript.exe	97
PID 5016 wrote to memory of 1796	5016	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
"C:\Users\Admin\AppData\Local\Temp\c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
69a5f85ff8d8baaaf506c582db23aa36

SHA1
bca4ce6af89052bdc8322edd6cab3229b03bb6e5

SHA256
dc82aa657370f46cdd1c5dbb04aee089b972979e5d9af6aee28db768ddbea828

SHA512
4984b908cc402f33d4505fa5b0866d938f8f9805e707662e82296e809a0975934ba9ad02ad039e7d66cec278b6ddf48f0fead1d2f1ea14f7d8006dda08a0feb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
116079ac9afcf4e87dca4140f7128e61

SHA1
ae6f4f8949a01d283279f50afc3cd13869fda6fb

SHA256
508d0030c99a9913c20558bff86e997c604eefcc9c554f169e1223eec13dcaf3

SHA512
cc3d7aa6f275e8311c802346486fc35b3882eaf1a117b0eef51f56368e947f734aa3ca481cfd0d4181105cd32424e18fe9cabc61b3e9a301e818577bbef4cb34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dd36e97ba4f8ec597131b5b1a65587cb

SHA1
eaebd4f8954988ece30b3be382871bab6b6b8719

SHA256
2d3a00c9be4776d017052f0c549271f9ce8e18e5ae828670cd57e4e887815c77

SHA512
5beb2b3b3303c6eca679e2142036f5a82e84ff87558d98ba66921c41c906ada6bf686ae76e1826c522ae695c71f32ef29b86f1f0dc0aff52005d1ddf0af3308a

Download Submit
memory/1540-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4696-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download