Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 22:29

General

  • Target

    9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe

  • Size

    1.1MB

  • MD5

    c46a3138e59500ee6a3e9645c08d4e48

  • SHA1

    51d0e156e9255459b2fd456b84f5a7d1ebcc2868

  • SHA256

    9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d

  • SHA512

    c04203dd510b924f7daba2f8d3d22d5ab08d548a0895ab9ace4859b5636872daee08d8d26aabe6453ea0c3f463ea40a38849b54bc8177090674a0b408acd70df

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QF:CcaClSFlG4ZM7QzMO

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe
    "C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3540
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    19b9f38e03869c4b463722b783c9de8c

    SHA1

    7148eddb6bc5459dd9eeb2ecb2170fb5eaba4575

    SHA256

    bcf6b029e9a26d281b3f5afd1894a74856040b1d42770f9bbb58b012836667a9

    SHA512

    d8d1168d40573023b9be6ada05ade4014088e710ad562e3ca0b03c456da995d35b9a16d4e582b4e1eb53d4ea8058a8d59b0b2ecf0eaeeabb385a807acd0833ad

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    a3b1a2435db9006df38c9e78df96e2f2

    SHA1

    a8a6d302d102686610f54547bdf0245b177a752f

    SHA256

    8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

    SHA512

    fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    fa5aeb039efa08a786befab2a05e8298

    SHA1

    174a11410292d112cd2e0f2b08ca7c6f501a53fd

    SHA256

    acd9064e97bc33ef4b9ec26613bfecfb0258cf8223906786301b2949b4be8b73

    SHA512

    199c784edb5dcfbac28441318a303f07c2e914fdf7898397e70408ca28b8f501a31c8177a19c368edf55ccf26287e94a5440a8d31ae4dd6d1e50f2673ea4698a

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    95e18fa5ff75a8e5840f247fe8a88323

    SHA1

    3d1b4c6d7f84fcce6ee5d181b29e794eca88d3d7

    SHA256

    bcc9bba9757bcf60be83bafe7d9003dd57659a0c53cdead5617fe054c0932a41

    SHA512

    d7ecff3b42120b06e65354d756d01caccf917224128eae16be1fb379b7e4b41b3647bf2e102329b6425352639eeb80c7247d2748cc36ce62fb24da93929a80e8

  • memory/4580-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB