aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 23:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
Size

1.1MB
MD5

49500c9786c108a22fd7ac68e205840d
SHA1

b4e45babbd286bc2d90732e53f2de7e68a8a9623
SHA256

aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136
SHA512

4dd79edd9c11e9a21746b5b09108e64a9567dd730982860fc55291577b03cb99cca7463e87409367e7229ebf7b45ec690db7ef2487a45f6ca8fb3938247fe7ef
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QL:acallSllG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1604	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1604	svchcst.exe
4184	svchcst.exe
1240	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
1604	svchcst.exe
1604	svchcst.exe
1240	svchcst.exe
4184	svchcst.exe
1240	svchcst.exe
4184	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 1372	4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe	84
PID 4268 wrote to memory of 1372	4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe	84
PID 4268 wrote to memory of 1372	4268	aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe	84
PID 1372 wrote to memory of 1604	1372	WScript.exe	91
PID 1372 wrote to memory of 1604	1372	WScript.exe	91
PID 1372 wrote to memory of 1604	1372	WScript.exe	91
PID 1604 wrote to memory of 3896	1604	svchcst.exe	92
PID 1604 wrote to memory of 3896	1604	svchcst.exe	92
PID 1604 wrote to memory of 3896	1604	svchcst.exe	92
PID 1604 wrote to memory of 2132	1604	svchcst.exe	93
PID 1604 wrote to memory of 2132	1604	svchcst.exe	93
PID 1604 wrote to memory of 2132	1604	svchcst.exe	93
PID 3896 wrote to memory of 1240	3896	WScript.exe	96
PID 3896 wrote to memory of 1240	3896	WScript.exe	96
PID 3896 wrote to memory of 1240	3896	WScript.exe	96
PID 2132 wrote to memory of 4184	2132	WScript.exe	97
PID 2132 wrote to memory of 4184	2132	WScript.exe	97
PID 2132 wrote to memory of 4184	2132	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe
"C:\Users\Admin\AppData\Local\Temp\aeb3d7639c06facd1ce8a4e98dde91f1ea64a6bd3c13b06b28a5ee2f370f8136.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1240
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
31cef5f4c5bc5e2e00b6c0d291401da5

SHA1
09ee26353ef339f9058d9646186aee8a57e59aab

SHA256
6979fb825ac3e3e8c995a84727ec51f3231e33d9f879967270db4f6cef475205

SHA512
04720772ae3932a873203fbdba74646dfabf484dfb5f66ecde7813e023a965a37663f9bcfd6beed8cf3252419ab6babc1476d4c04de1fe0783394ca8244c31fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5af46b973ea1a3c21906538b5bb76874

SHA1
6635db6a2477de3ff59f2678ed0e7db918471191

SHA256
1853294b1867e22142742e8c1b89e43734b3ba90eb4ff9d8ed934b3e82257318

SHA512
7ca281b3264bdb46a1659be748fa25d9b5830e381e01afe0e174926acc4a5966fa7f945249f23896a8ce75f87ee203a2052333e60434edec432090adc197612a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d6407f7ae0cc946cc4dda022c1598885

SHA1
ed9f3858923ec1ccd9e1838137cc20f9dde49c04

SHA256
0b9e30dc2df565a6bb9cff2399aeea6d812fe534b43a3595615cee43d9fd9696

SHA512
8569971a9ce89b67c956d090f68670a11725ea33e87ea00c62596a3f9e96f0d6393ee6717213d3fd2e5ca9ce5ddc449c6f2fd81fc2ac913a95db64d883e69cd4

Download Submit
memory/1240-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1604-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1604-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4184-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4268-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4268-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download