Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 19:29

General

  • Target

    af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe

  • Size

    1.1MB

  • MD5

    cdef04efc558ad2f334bd8fd887f9e02

  • SHA1

    dc7b978828a8cb9c37bc16ec1dca2f461ab23ad8

  • SHA256

    af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c

  • SHA512

    8eccee22a34b50d28db3c2b6da20d5cb3043a172a4ba104d72911a9ebfb4007005506452b1b1eb9c5cfa5ad64bfc45498c67d1c4320e7903dc3dd87028abb108

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzMo

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe
    "C:\Users\Admin\AppData\Local\Temp\af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2156
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              PID:4308
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    9093f365eff0ef2ba201160a8ea737c4

    SHA1

    61ea59cdf091849aa03b374870307a56a45c5dcd

    SHA256

    717db9876e5bb78c72a60b79fd7d66ca8cb7ff840794dab552670b34bbfb7333

    SHA512

    6dd39a409f4bc1febe7da9f4bd63d601186b3cc8f698bd7f431118804ef46869184ccf6fd9b3b19109a6be0f85744eaa05d741a5f0717e07ec2c3362c2032f2c

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    e941c404604f780e37c7e63233301fa0

    SHA1

    d27c9a3b90881add1a06b41b5931267fc818ff08

    SHA256

    6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

    SHA512

    1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    44c38fa25d3a9963483b583388b6f47b

    SHA1

    e9b37eb8bcbe2ddda96178ee7502616660cfce57

    SHA256

    004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

    SHA512

    c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    452d329fc0faa95470e217b08fff61af

    SHA1

    be13ca8b935a105523e9463c081622e6abecf70f

    SHA256

    0c28c62a2a3bbd2403564cd53972c719765d4194544aa100a866ca01580a1083

    SHA512

    ec7fd86d269af9a8e2376c4c91ec648d88af93ad295e525c8957d5708bfa84c7c4c2e43e064acd3f1f1992380cd53e78c44c6dfa579762a0679b30955b037a96

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    982d1dbabcd46e3bc18de0cdbbaa6e9d

    SHA1

    28854c7f936194c9d5f2f9d7ece4275f87790e17

    SHA256

    0697f8166ba04702fe0dc37d0e469a26e4bdafbf381aad383aadf7ff5a866193

    SHA512

    34e7583eeaeebe662c847297b28ac1be41bb820e7bcef063b5028391ae45458c5b33e447bdc8ae4b0ddce99d13912d14facdf8f0ebbc8365e97cf74604afa141

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    41a83f4aee5eef90bf0f35be91a2a54c

    SHA1

    059ca39e0164ba34ecef60e96cfac493408ce315

    SHA256

    701691bec7dd978abf5b24942db57f5ac88f4e05e73c02973187de265e9adb3f

    SHA512

    31c1c0cfc52c81b18aa36dac9a20e76977eab6abf767799962f84ae0a4b956a561183e6a8f4e1da7f380eba1949eafbd4360a838a7f8e0d767ab921337e2e892

  • memory/4092-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB