995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
Size

1.1MB
MD5

b096071baa11d86d27bc6f95175ba977
SHA1

98bd276a266309fa8c59f87f3ab1403ff83a297e
SHA256

995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940
SHA512

b7b6c92e7d1355ffb13b3dec7d0c26d6de6e0f2c6cdafaf9655230559ba1d16ed54581d2c51dba19232aa8a122e1895352804478015e52af3d74be9fd7d8b6f1
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qw:CcaClSFlG4ZM7QzMn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4040	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4040	svchcst.exe
1044	svchcst.exe
3484	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
4040	svchcst.exe
4040	svchcst.exe
1044	svchcst.exe
3484	svchcst.exe
3484	svchcst.exe
1044	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4036	4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe	82
PID 4296 wrote to memory of 4036	4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe	82
PID 4296 wrote to memory of 4036	4296	995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe	82
PID 4036 wrote to memory of 4040	4036	WScript.exe	88
PID 4036 wrote to memory of 4040	4036	WScript.exe	88
PID 4036 wrote to memory of 4040	4036	WScript.exe	88
PID 4040 wrote to memory of 3772	4040	svchcst.exe	91
PID 4040 wrote to memory of 3772	4040	svchcst.exe	91
PID 4040 wrote to memory of 3772	4040	svchcst.exe	91
PID 4040 wrote to memory of 4852	4040	svchcst.exe	92
PID 4040 wrote to memory of 4852	4040	svchcst.exe	92
PID 4040 wrote to memory of 4852	4040	svchcst.exe	92
PID 4852 wrote to memory of 3484	4852	WScript.exe	93
PID 4852 wrote to memory of 3484	4852	WScript.exe	93
PID 4852 wrote to memory of 3484	4852	WScript.exe	93
PID 3772 wrote to memory of 1044	3772	WScript.exe	94
PID 3772 wrote to memory of 1044	3772	WScript.exe	94
PID 3772 wrote to memory of 1044	3772	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe
"C:\Users\Admin\AppData\Local\Temp\995cadb9d5e5805724c22e3c0df6a975172c53029a3a2c6629170d6f62579940.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a442c6752f69264e8a5e48043883fc33

SHA1
d803757b566dbde31bffb4ba227da94a5c280d3c

SHA256
278282d90070f8866c168333552969d3976b422ba8fb01582004465bcfb2cfb3

SHA512
703d68d48f0d3ad2d45457204d3f789df9c8a5fdcfa83ae5c28e29644bf284d7b81241bac0d8330ee98a84cacbd0c8eacdc9e14b1bb0ed90cb907437839eda86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6d738f02e09204172f6f8081139f4f12

SHA1
9be40d58f855f97523aeeb1a743e93defe5d3cab

SHA256
5ec3712c8ec9a036815e6d344d14729cb99d97bd58f46a626df43da884ee5021

SHA512
8d9c2ab97304ee80d7f899de593b61726231383fd6b4816c9b1e96f32a3f0fdeec6c538b02f4c026ac888b00762628ae681be3a144f0704746672041b5bcf5dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
43466aada728545d8dfd4e0492271faa

SHA1
167edd1abbcfda8eb67cdf63de3d0c3469016138

SHA256
ab1d4a437efe6d3fe053320e85226658894f04e8501b45d062b66f60847c9f0d

SHA512
26c1e107d5275748d729f1ec0ecd924814689931e9d4a2ac7e8634d1864dbbfe0366c8d82ad49bd42941999b8d24bdad5c198f240138a73659152bf814b2d3de

Download Submit
memory/4296-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download