c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
Size

1.1MB
MD5

8b68fc6d3cbafbdc9319b57afad93483
SHA1

453906a90ad62dd9b974abd934477fd2779dcdf8
SHA256

c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b
SHA512

9d6ba3428e9199c9a2ed9c4c3b3dec1ec7e853a98583c530cee4957669315da241a195711bc83a436c7f9d635e615c8a12f3e8eaf63642ce44099fff87451ba8
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qw:CcaClSFlG4ZM7QzMX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4848	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4848	svchcst.exe
3828	svchcst.exe
4280	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe
4848	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
4848	svchcst.exe
4848	svchcst.exe
3828	svchcst.exe
3828	svchcst.exe
4280	svchcst.exe
4280	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 4396	2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe	83
PID 2100 wrote to memory of 4396	2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe	83
PID 2100 wrote to memory of 4396	2100	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe	83
PID 4396 wrote to memory of 4848	4396	WScript.exe	95
PID 4396 wrote to memory of 4848	4396	WScript.exe	95
PID 4396 wrote to memory of 4848	4396	WScript.exe	95
PID 4848 wrote to memory of 1512	4848	svchcst.exe	96
PID 4848 wrote to memory of 1512	4848	svchcst.exe	96
PID 4848 wrote to memory of 1512	4848	svchcst.exe	96
PID 4848 wrote to memory of 2060	4848	svchcst.exe	97
PID 4848 wrote to memory of 2060	4848	svchcst.exe	97
PID 4848 wrote to memory of 2060	4848	svchcst.exe	97
PID 1512 wrote to memory of 3828	1512	WScript.exe	100
PID 1512 wrote to memory of 3828	1512	WScript.exe	100
PID 1512 wrote to memory of 3828	1512	WScript.exe	100
PID 2060 wrote to memory of 4280	2060	WScript.exe	101
PID 2060 wrote to memory of 4280	2060	WScript.exe	101
PID 2060 wrote to memory of 4280	2060	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
"C:\Users\Admin\AppData\Local\Temp\c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c8a291bcdab7946bae2b6cc9fc3d1444

SHA1
87457c56e1d43b548c26a2f3d058e0e576f04359

SHA256
278157ca71db464bf9920cd496c0c3f31e094793d5e078fef88c7fef3d98bcf3

SHA512
b4112a83993327821f364542ac5d7dac048bc0b1a9f379bed4c001cd45337993bbcf9ab9765f7ec455334da5f6c5f2e6875b2e7ee11559c8cf015ab27cd5d9dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fb06268b2f3ee66d9693690abd6e6a4e

SHA1
ded1b12bf515e2024970ebb69fe251781a852235

SHA256
b50ce4d3f49caac0045d5591652837f2c418b28ab73f84661a213d915fed6fb9

SHA512
454749e45ca12a11a957b7697d2d4d9b219914de0e030b42881a52ba6e3d5b94a89002154bbf9acd9e415fe0b1158810a7494b019c9b7159534d4316c5413540

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4b078a2d6e8e36c79aa2ddfcdd6d25c4

SHA1
f65dabd93c4661d8f4c944db75e4f62ab14ea37f

SHA256
7aec5f34c79df640a2b7bc485234424cfa5b612a74a5ee7c454513fcb98f25f7

SHA512
0d8f830011922e7fce4cb635a38cab50de6d8664b5af00cd5874a5a3d9b9d633f5aa2681f1eec34f8772ca99a68ab198edb7ee0b92894acae619787ac4442c4f

Download Submit
memory/2100-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download