3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe
Size

1.1MB
MD5

ca8f4f7f5c8fd3d9fb37b82f31dd724a
SHA1

8990237346c6f1bc9bc6c6a3ff7a48a56d1226c0
SHA256

3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed
SHA512

37ce6c1951d3118c9e021a59a48490dcccbf0c84989eb934caa5f73d2d720ba5d54d2f474fef988d21378aeac539ec70252101c30ec6d67cf63b92d4fc74bfe4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q+:CcaClSFlG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
2544	svchcst.exe
2484	svchcst.exe
1964	svchcst.exe
324	svchcst.exe
468	svchcst.exe

Loads dropped DLL 8 IoCs

pid	Process
2552	WScript.exe
2552	WScript.exe
1324	WScript.exe
2212	WScript.exe
2212	WScript.exe
2212	WScript.exe
2024	WScript.exe
2024	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe
2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe
2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe
2544	svchcst.exe
2544	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
468	svchcst.exe
468	svchcst.exe
324	svchcst.exe
324	svchcst.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2532	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	28
PID 2368 wrote to memory of 2532	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	28
PID 2368 wrote to memory of 2532	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	28
PID 2368 wrote to memory of 2532	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	28
PID 2368 wrote to memory of 2552	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	29
PID 2368 wrote to memory of 2552	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	29
PID 2368 wrote to memory of 2552	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	29
PID 2368 wrote to memory of 2552	2368	3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe	29
PID 2552 wrote to memory of 2544	2552	WScript.exe	31
PID 2552 wrote to memory of 2544	2552	WScript.exe	31
PID 2552 wrote to memory of 2544	2552	WScript.exe	31
PID 2552 wrote to memory of 2544	2552	WScript.exe	31
PID 2544 wrote to memory of 1324	2544	svchcst.exe	32
PID 2544 wrote to memory of 1324	2544	svchcst.exe	32
PID 2544 wrote to memory of 1324	2544	svchcst.exe	32
PID 2544 wrote to memory of 1324	2544	svchcst.exe	32
PID 1324 wrote to memory of 2484	1324	WScript.exe	33
PID 1324 wrote to memory of 2484	1324	WScript.exe	33
PID 1324 wrote to memory of 2484	1324	WScript.exe	33
PID 1324 wrote to memory of 2484	1324	WScript.exe	33
PID 2484 wrote to memory of 2212	2484	svchcst.exe	34
PID 2484 wrote to memory of 2212	2484	svchcst.exe	34
PID 2484 wrote to memory of 2212	2484	svchcst.exe	34
PID 2484 wrote to memory of 2212	2484	svchcst.exe	34
PID 2212 wrote to memory of 1964	2212	WScript.exe	35
PID 2212 wrote to memory of 1964	2212	WScript.exe	35
PID 2212 wrote to memory of 1964	2212	WScript.exe	35
PID 2212 wrote to memory of 1964	2212	WScript.exe	35
PID 1964 wrote to memory of 2024	1964	svchcst.exe	36
PID 1964 wrote to memory of 2024	1964	svchcst.exe	36
PID 1964 wrote to memory of 2024	1964	svchcst.exe	36
PID 1964 wrote to memory of 2024	1964	svchcst.exe	36
PID 2212 wrote to memory of 324	2212	WScript.exe	39
PID 2212 wrote to memory of 324	2212	WScript.exe	39
PID 2212 wrote to memory of 324	2212	WScript.exe	39
PID 2212 wrote to memory of 324	2212	WScript.exe	39
PID 2024 wrote to memory of 468	2024	WScript.exe	40
PID 2024 wrote to memory of 468	2024	WScript.exe	40
PID 2024 wrote to memory of 468	2024	WScript.exe	40
PID 2024 wrote to memory of 468	2024	WScript.exe	40

C:\Users\Admin\AppData\Local\Temp\3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe
"C:\Users\Admin\AppData\Local\Temp\3c6bd8f9df3237726799fcc45b748e68381583bedfeba731154765b9c46343ed.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
40d27f993c31cfdd426d24df0d35e18e

SHA1
d96b7406fecef6882856dbd41a170cee288b112a

SHA256
aa00c7b514e6b14e88d7c29bedefef8a9435955910decb52ee6579524b3c9133

SHA512
0bcba1d2cc834ca1e18bbb61b028614d3930c3430b7ca51ed580e32f770dac9a4b199753ad0a1687904b6e284901de794d96ae3540196d7ee8d315ca0bc12575

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b7eb401a726220b19f6b12069e9c20f9

SHA1
d7e5c1202ab6475608c522c3067aef4a4a81043d

SHA256
d0a0a89508b07065e35ce278f182e3d2f02b8d170b1f726121340e8ab77193a0

SHA512
6a19cf121d31c8939cc41e15e165d92124b86ebad73c13d21424f6cf3b57c22cc8eead81cd05621c4aaaeb2830ac35d61a59120f09b856a04f1756a9384497b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8e2814abefe570a9ca483bfe294561c6

SHA1
aff545d8718a69b4243b4561e560f310b0ea1668

SHA256
4703bfd07b13c99ca91f8c58a82ebe1202ac63dac4aa3090f55abcd4aa84249c

SHA512
afac54b2bbba4c2968b5c964cd3abfceca772332ff07e5cdb5500cb7530c65d0dfd6d520282c5e822ceb68d2019373d93fa112212f1662879f1fd0ae95d467fa

Download Submit
memory/2368-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download