db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe
Size

1.1MB
MD5

17db652940a5dad303f9a1cb836e5311
SHA1

430da4d841bdf5f585a898615c2e73f354dce190
SHA256

db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c
SHA512

ba02a2d182067eb3d0577aa62f83a3994e8781a78cd7be5405696879d68298c2977ac4f22d73268f6f58eceb7d273cf4e5855e07ad05ff43f1fbf765cabdf56d
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Ql:CcaClSFlG4ZM7QzMu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe

Deletes itself 1 IoCs

pid	Process
4652	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4652	svchcst.exe
1292	svchcst.exe
856	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe
1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe
4652	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe
1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe
4652	svchcst.exe
4652	svchcst.exe
856	svchcst.exe
856	svchcst.exe
1292	svchcst.exe
1292	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 880	1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe	83
PID 1520 wrote to memory of 880	1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe	83
PID 1520 wrote to memory of 880	1520	db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe	83
PID 880 wrote to memory of 4652	880	WScript.exe	93
PID 880 wrote to memory of 4652	880	WScript.exe	93
PID 880 wrote to memory of 4652	880	WScript.exe	93
PID 4652 wrote to memory of 2416	4652	svchcst.exe	94
PID 4652 wrote to memory of 2416	4652	svchcst.exe	94
PID 4652 wrote to memory of 2416	4652	svchcst.exe	94
PID 4652 wrote to memory of 4420	4652	svchcst.exe	95
PID 4652 wrote to memory of 4420	4652	svchcst.exe	95
PID 4652 wrote to memory of 4420	4652	svchcst.exe	95
PID 2416 wrote to memory of 1292	2416	WScript.exe	98
PID 2416 wrote to memory of 1292	2416	WScript.exe	98
PID 2416 wrote to memory of 1292	2416	WScript.exe	98
PID 4420 wrote to memory of 856	4420	WScript.exe	99
PID 4420 wrote to memory of 856	4420	WScript.exe	99
PID 4420 wrote to memory of 856	4420	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe
"C:\Users\Admin\AppData\Local\Temp\db99cc9037bfc7ec7f9e412e90d47bcb0f97e6a8fc4389f6c011952da9e0160c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f0e09b31b230bdf0670200eb8cfa8095

SHA1
8260f3f305c543d6384808b8e1fc4042591f11cc

SHA256
06f6f84a4daceeb703c40002b942b58fab0847f82e9f73f85fab84354d856d54

SHA512
029de02858b1813e21f24f1704dca63faf8ba70cf7964b55e7f109b4a2c5505a376a0584b23c6b8c7df3fd90d980d791fc1903097d9b35e04fb95408380b9937

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
32b80de32f7f9056ace945c54638d5bf

SHA1
031204d2812b04263c84ee48f3b96674a828bc4b

SHA256
f7f661f1f65426f648d01e0d1ea86e1b051fabc605dbd97680aeb127fe115ed2

SHA512
c89ee121707194abf3402e6a8063d427efbb9ec5bab4a1f92ce5eb08426f5ab858687f7f3cb5ef33396163ecac54d0ec1dd5d09a75d7ce440fe0cfb1c996ce0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5db1dbe00a89b352eed34024dfe34d1c

SHA1
e360a6e2d2f82ba0d2c9b45fc10409ef6b966461

SHA256
e26d62a7d89c9ea6d71a7e4012c1f3b8947f2c853c9a146044c40cfca48d78ee

SHA512
1292b8798cec83b2da9a1983405ddaf1db7d8b5eb453b9fb6a8c738f11c5e608c135d71b5fefe473e4a472a3cfa7551b3d37356fbb554387bad6d1180f90051d

Download Submit
memory/1520-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download