2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
Size

1.1MB
MD5

d82c61be6e50cd1da8b6dcc1349753a5
SHA1

1e06757cd6e1247f3a5b312b5c3327695383ac41
SHA256

2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132
SHA512

e20b9d8c595cce888bf167eace5448a03b06594a38bda9bb4e9a9195ffcc2cdb9aa0ac376af48d4276b0c85de48edefd7da357883d54693a61fe4650f3231213
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q9:CcaClSFlG4ZM7QzMG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe

Deletes itself 1 IoCs

pid	Process
1936	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1936	svchcst.exe
4364	svchcst.exe
2924	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
1936	svchcst.exe
1936	svchcst.exe
2924	svchcst.exe
4364	svchcst.exe
2924	svchcst.exe
4364	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2012	5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe	82
PID 5036 wrote to memory of 2012	5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe	82
PID 5036 wrote to memory of 2012	5036	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe	82
PID 2012 wrote to memory of 1936	2012	WScript.exe	88
PID 2012 wrote to memory of 1936	2012	WScript.exe	88
PID 2012 wrote to memory of 1936	2012	WScript.exe	88
PID 1936 wrote to memory of 2972	1936	svchcst.exe	90
PID 1936 wrote to memory of 2972	1936	svchcst.exe	90
PID 1936 wrote to memory of 2972	1936	svchcst.exe	90
PID 1936 wrote to memory of 4656	1936	svchcst.exe	89
PID 1936 wrote to memory of 4656	1936	svchcst.exe	89
PID 1936 wrote to memory of 4656	1936	svchcst.exe	89
PID 2972 wrote to memory of 4364	2972	WScript.exe	93
PID 2972 wrote to memory of 4364	2972	WScript.exe	93
PID 2972 wrote to memory of 4364	2972	WScript.exe	93
PID 4656 wrote to memory of 2924	4656	WScript.exe	94
PID 4656 wrote to memory of 2924	4656	WScript.exe	94
PID 4656 wrote to memory of 2924	4656	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
"C:\Users\Admin\AppData\Local\Temp\2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e1436721f13b1068492a3f1441e3753b

SHA1
bda01815a6b44692b682232547108696a2a1fbc1

SHA256
cda425b4c79be91c5c2d6e2c0cf4c8bc25e5a1ee16f6e46538f67fc3c9a19050

SHA512
2238887820e971db378dad79ac677c764b1482a7b6654518af93c4a198d20441671ef7b03c1a44572f759d1858e7e27c98805f8bf34f74755ee790add6f178be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
10b8a568ceadb3c9da0e3e368f2b4c5f

SHA1
3a48fccb573ce9713a6e51819322aaea4b003777

SHA256
0719d2b5b5405336d2084a174a754b7b6d13e654b41ee0c2aaa88de53be99629

SHA512
1f3dec73414de58b8b1c958ddd4fddc40b80eba09ae82912be74116656cc9c28960b85d6abdd5832b95725ef35cf11518ca940e630a0c770ef28aad2279915f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0ead5de06a9748320790ac475a6135f5

SHA1
b2737bb892ed562974774310a93ecc868f567ff2

SHA256
d508d83204ac70229f4ee915de50e0187c788ec28c48d8df6df2b8e70bbdb3bb

SHA512
7e8b3e83bdc412d34887f680a281f674f161fb4c28914217a46c28957150acf3a2144f2c8294bbe70d36289000e191825b8513d0e7050e7ae938a5e3595466e3

Download Submit
memory/5036-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download