3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
Size

1.1MB
MD5

c304d3d5061d72d4b4afd4e855e40cc1
SHA1

257437f98910d6ba849d580cd4d2ea9b0a6af4a7
SHA256

3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3
SHA512

6b7799538163cb3dfb7a39155c19734734e884315455ed764f2bbb95b6c78e7d91413be040c205f438facd07cf94fe9f4450590282ea1365753ca2e8718cb39d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QT:acallSllG4ZM7QzMU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4780	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4780	svchcst.exe
1228	svchcst.exe
5008	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe
4780	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
4780	svchcst.exe
4780	svchcst.exe
5008	svchcst.exe
5008	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2116	4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe	83
PID 4772 wrote to memory of 2116	4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe	83
PID 4772 wrote to memory of 2116	4772	3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe	83
PID 2116 wrote to memory of 4780	2116	WScript.exe	90
PID 2116 wrote to memory of 4780	2116	WScript.exe	90
PID 2116 wrote to memory of 4780	2116	WScript.exe	90
PID 4780 wrote to memory of 3972	4780	svchcst.exe	93
PID 4780 wrote to memory of 3972	4780	svchcst.exe	93
PID 4780 wrote to memory of 3972	4780	svchcst.exe	93
PID 4780 wrote to memory of 1104	4780	svchcst.exe	94
PID 4780 wrote to memory of 1104	4780	svchcst.exe	94
PID 4780 wrote to memory of 1104	4780	svchcst.exe	94
PID 3972 wrote to memory of 1228	3972	WScript.exe	95
PID 3972 wrote to memory of 1228	3972	WScript.exe	95
PID 3972 wrote to memory of 1228	3972	WScript.exe	95
PID 1104 wrote to memory of 5008	1104	WScript.exe	96
PID 1104 wrote to memory of 5008	1104	WScript.exe	96
PID 1104 wrote to memory of 5008	1104	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe
"C:\Users\Admin\AppData\Local\Temp\3edf3f59075b85db9196de07fa00903bccb90cb6bf576a6f7501264b23ffd3b3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9eb589fa76e20c754e9e07791a8abfcc

SHA1
3f799f719eacc31219d804731c2f6ba92e5f5b9d

SHA256
aab8a82a9dc46316c81ba441aa6e75e8a18563659ff13b5ccead9833574bde86

SHA512
6fbf7f636ce00cc87c899072b7d68ac982d8d78f4a237575e503df31cf3195db973239331db6233d4f2ef139ffc35636d122c5bd78a25de2f18ccf19dc366ef1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9cc571a685f31dfa04184c9b202a84f9

SHA1
788c852b51965590939c085df85ed6b30007f9b5

SHA256
70513b91a9ca99b0ab0f52b559ed4b5818545ff70b2bf978e38085144b01ddee

SHA512
f9ae523456419fb187a1fcd6a45a8c2c0b9dfcd1048da0061aa227b65fcfcbd227505ee13b91b150517a929ed37b2f899119095bd7198418df5444e3f1bd7a04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dafa93a3241387542b37d8d1100d6c38

SHA1
a2f23652470438276c43ecd0eddd7b0e5b4b6633

SHA256
d7b50ab84ee7166aa1321e620e8f0d906e4c3f7db7fb4a1217d14025b6cbe127

SHA512
109cae713b2f96cfc1bf58193f4d3e89058b9979b1e1145f1b1ee73010828700db93feab8f81daedab7ad71fb5ddbb8e019d7615d833ab6bc07d80ba4276caf1

Download Submit
memory/1228-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4772-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4772-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4780-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5008-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5008-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download