63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b

Analysis

max time kernel
138s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
Size

1.1MB
MD5

965b48cdb1e46a5f01feb369c966ce5f
SHA1

c59c3ac9ac57200f738dfe0e94d38f341c31fa8e
SHA256

63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b
SHA512

074f25dcac4b231887cf3ee2cd87b56dcd64e8224306b492eeb7db658512abc7720e684973a736a35c11a387fe44d0cd559848fcf51ce8d88c5a8712c5cbc139
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4940	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4940	svchcst.exe
1648	svchcst.exe
2528	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe
4940	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
4940	svchcst.exe
4940	svchcst.exe
1648	svchcst.exe
2528	svchcst.exe
1648	svchcst.exe
2528	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1044	456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe	83
PID 456 wrote to memory of 1044	456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe	83
PID 456 wrote to memory of 1044	456	63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe	83
PID 1044 wrote to memory of 4940	1044	WScript.exe	95
PID 1044 wrote to memory of 4940	1044	WScript.exe	95
PID 1044 wrote to memory of 4940	1044	WScript.exe	95
PID 4940 wrote to memory of 1448	4940	svchcst.exe	98
PID 4940 wrote to memory of 1448	4940	svchcst.exe	98
PID 4940 wrote to memory of 1448	4940	svchcst.exe	98
PID 4940 wrote to memory of 3328	4940	svchcst.exe	99
PID 4940 wrote to memory of 3328	4940	svchcst.exe	99
PID 4940 wrote to memory of 3328	4940	svchcst.exe	99
PID 1448 wrote to memory of 1648	1448	WScript.exe	100
PID 1448 wrote to memory of 1648	1448	WScript.exe	100
PID 1448 wrote to memory of 1648	1448	WScript.exe	100
PID 3328 wrote to memory of 2528	3328	WScript.exe	101
PID 3328 wrote to memory of 2528	3328	WScript.exe	101
PID 3328 wrote to memory of 2528	3328	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe
"C:\Users\Admin\AppData\Local\Temp\63c8497f9dff38d36c1fe3047b4e63e66027e16b2ef31e29125fb7642791312b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ff1642d93e03b95abe920baf9edd78ba

SHA1
50083bf5fd8408e69963f9a28f7939b99a4641d3

SHA256
e58005e9cf7592b443ed0029993a1e5581c631e92efbdd05c716d70839808edc

SHA512
940fad4824e944ad72ad872a8040cf5a544260f447f35fadc05cdb25eca8c8c2121df623e061234f12f232287fbaea9184402a2282144cc4a11f5ee07a1bbf50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b033caf608f3fd40fb04fe26a50aaa7

SHA1
b70eb9ef3e0b83c0dfa3f3486cf626f88d617cb2

SHA256
f5f456f6f5a50f031085e749f2298ee507aefd5cc949c8d4fde3817d83b48290

SHA512
ad7fb035ef0ab112ad6048720e9277d0f7527a0a9e147b2b4c9023a0381e46c1ff20d02e0f4cb399039bb24380bd276d41dfe0bb0f318f74522f1051784d8884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0faa0944c5653692ec23a32c84e2ced5

SHA1
318ec2a5f61569d6aa9ba8c25541366b904bf90d

SHA256
8e296ee947d12edcaeae62cbb687e910e04dc92f4398350c4da03eea85b0ba3f

SHA512
25148b3e982127614319282b9acaa1419f4292046fb7d45edc4b83542d51c082cc42a0eecb9b2ecf565b43459a4726311525d908cddb36230206d74c4dcb9cb8

Download Submit
memory/456-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download