326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
Size

1.1MB
MD5

6ad15bf2c2aac8d4713a89ec8fb5c553
SHA1

d857cfcd40b1004ea8554793d6f72321195d0e31
SHA256

326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66
SHA512

fe50a0d192acc8ace4a2f5bddcd54eb48c49683d086cfeb9e664c20c71666ab07e5d6ac93cfd08ebf45e8e9192459e47dc826f8c507791577711020285e33ce3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qf:acallSllG4ZM7QzMI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2336	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	svchcst.exe
4828	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
2336	svchcst.exe
2336	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 1884	3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	83
PID 3136 wrote to memory of 1884	3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	83
PID 3136 wrote to memory of 1884	3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	83
PID 3136 wrote to memory of 3368	3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	84
PID 3136 wrote to memory of 3368	3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	84
PID 3136 wrote to memory of 3368	3136	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	84
PID 3368 wrote to memory of 2336	3368	WScript.exe	92
PID 3368 wrote to memory of 2336	3368	WScript.exe	92
PID 3368 wrote to memory of 2336	3368	WScript.exe	92
PID 1884 wrote to memory of 4828	1884	WScript.exe	93
PID 1884 wrote to memory of 4828	1884	WScript.exe	93
PID 1884 wrote to memory of 4828	1884	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
"C:\Users\Admin\AppData\Local\Temp\326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cb69861b145442482c1b7fde5bbf65e1

SHA1
64c99711b9c386f18b98fb56246e8721e7cc04e2

SHA256
5f73990f6ece09f0be8d964502dea40580dc790ddd3fdff72da7065f8a517bb9

SHA512
210b66759a92d5d406c67ddd03f4f8c828ed04c40eaae344393565eb2b469936c1f5a407a51e2da8d5b6f457b0adc23933ed603680d5db8683a4927b6ad0e3ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
672055021ab19849900680576c14404a

SHA1
b151af927012933bf12b8952ad3bad280d9e9c19

SHA256
8194db06665960372954270f1b19d752dc6ae89a00c9cca3cd9b264adae01bce

SHA512
6e5ad07adeae96d096f9140afc255f0d85d79f61b41c8b2546cc741507c417d390f727821b8137eaa77b8316898709045ec6f09f5ccc0894e0b95518ed21a951

Download Submit
memory/2336-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3136-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3136-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4828-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4828-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download