Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 20:08

General

  • Target

    fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe

  • Size

    1.1MB

  • MD5

    ccd80a68f925feaffe7ddc5d94645f4d

  • SHA1

    e775cb59c7b38446a7272c2aed315ebb69b38cd7

  • SHA256

    fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116

  • SHA512

    0488992c6fd9aee18e661ee40304104975b409bf48610513331110340a042b92a5672527e9ae6f55ce1b4e7ebf570e520ee8edb3b0ab7b9f06208aca85962f42

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzMZ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe
    "C:\Users\Admin\AppData\Local\Temp\fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
            PID:3028
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
            4⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4064
            • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3184
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                6⤵
                • Checks computer location settings
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4564
                • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2948
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                6⤵
                • Checks computer location settings
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1920
                • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

      Filesize

      92B

      MD5

      67b9b3e2ded7086f393ebbc36c5e7bca

      SHA1

      e6299d0450b9a92a18cc23b5704a2b475652c790

      SHA256

      44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

      SHA512

      826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

      Filesize

      753B

      MD5

      a71314f6cd3277777af5485b00c8233a

      SHA1

      2dcf01a4c964893ad9d4cfcf91ddf2d8b33e1cff

      SHA256

      81bd99047608286b1322351b397dd38238cf07fb3c1149192fb83b03d470e967

      SHA512

      2d9270c477b8d152b54ea0a7837c5dfc0292aca1ab25929ac54fd8354ef70deb0a428ea5f2f0f0ddeac5387480f4431ea772208640115a45cf18823bcfee1195

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

      Filesize

      696B

      MD5

      98328aa8ad181fbf0b87edfc21155dce

      SHA1

      3ca100ca64d5f62a5dceef47f414c0953fd4f559

      SHA256

      a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

      SHA512

      75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

      Filesize

      696B

      MD5

      c1f667683c1809dc2fa81d863ea10a4e

      SHA1

      dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

      SHA256

      a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

      SHA512

      e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

      Filesize

      1.1MB

      MD5

      b2a132b062db9a2f29a9509dfdda0b2c

      SHA1

      a3119506c4f9d695e01f5c43bc85d62faa09bf82

      SHA256

      ff277d4d4c954b5de62c3b2df825f54190262a900c4b24100b8742ba56119163

      SHA512

      93d2cbae1bc9e26a1b5d0c22f49471076b18e1782a2db8857f7a1ed082f386a4aedaecf7885577b0989bc2dd2118271a98943da970497915cc23dcca5e340ad2

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

      Filesize

      1.1MB

      MD5

      292386eb35e74303581921f354f06d2c

      SHA1

      34ef79141febba916837a652c9a4446e01ee112f

      SHA256

      c2063d0492c86f89b3a6832b772c72f43ccdf3fbe3684d4e3005c0062583446b

      SHA512

      5211ec2bb701695b4336cb57a2fb63d7f7468eccd041e044aad9b24547c9a4d7c1c9580cf640dbfe817faab3c7981ac4a16c2a714cb3f0f9cabd905e1228ab2d

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

      Filesize

      1.1MB

      MD5

      28f534a5d7a58c9bc521d19ec4a964fb

      SHA1

      f4c7a1a4350df28a640408c78c33619df44c089a

      SHA256

      8ff64812f78cfd9ce0f68e46d2d6c9c518caa9042f1f4607d0bd60cc54c817e0

      SHA512

      c5b587e1d1ab722f0c6aa49cc5aa10d53545f42e7578976b60664c3304bc2112c6dcff3a20d3aa0fd6bf7f808c46830f19ecf8d6e8e5831a60b093271b134798

    • memory/3512-8-0x0000000000400000-0x0000000000551000-memory.dmp

      Filesize

      1.3MB