b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
Size

1.1MB
MD5

b5695c1908b842bc2f7322413f7dd5b0
SHA1

bcd395eb41646a7c456cf70c7e520882b5f54ded
SHA256

b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83
SHA512

a960ff47919dc94855f4979d9373618754eeda9c38efb0b6fca4d98ad0a179f2bc4aa6e612c8f44d1d88f6b5cd8e1f6df33d49a0ebdf11423cde75cf2fb73939
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QQ:acallSllG4ZM7QzM3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3032	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3032	svchcst.exe
1180	svchcst.exe
2200	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
3032	svchcst.exe
3032	svchcst.exe
1180	svchcst.exe
1180	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2216	3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe	82
PID 3660 wrote to memory of 2216	3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe	82
PID 3660 wrote to memory of 2216	3660	b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe	82
PID 2216 wrote to memory of 3032	2216	WScript.exe	94
PID 2216 wrote to memory of 3032	2216	WScript.exe	94
PID 2216 wrote to memory of 3032	2216	WScript.exe	94
PID 3032 wrote to memory of 444	3032	svchcst.exe	95
PID 3032 wrote to memory of 444	3032	svchcst.exe	95
PID 3032 wrote to memory of 444	3032	svchcst.exe	95
PID 3032 wrote to memory of 4904	3032	svchcst.exe	96
PID 3032 wrote to memory of 4904	3032	svchcst.exe	96
PID 3032 wrote to memory of 4904	3032	svchcst.exe	96
PID 4904 wrote to memory of 1180	4904	WScript.exe	99
PID 4904 wrote to memory of 1180	4904	WScript.exe	99
PID 4904 wrote to memory of 1180	4904	WScript.exe	99
PID 444 wrote to memory of 2200	444	WScript.exe	100
PID 444 wrote to memory of 2200	444	WScript.exe	100
PID 444 wrote to memory of 2200	444	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe
"C:\Users\Admin\AppData\Local\Temp\b8bf1770ded4d1ed069ca68fccd546f6cd787140682f05923124484b27610d83.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:444
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ed7ead492b221e7d721b0ef69e3ebe3a

SHA1
2fa45cd6fc06e8af0ee41dcf1a3b4d9c26844462

SHA256
4533e561d7bf22ec8e9f7b6cbef6518ae3535add4580ece2ff3346914e465871

SHA512
8f7f7a90c40a12c0f50a32918a171b2e0601d98bdf78fc0bed2742b7d14f22e32df01725bc02ca87b822c4c4f13001827fb1f6bbf037a3fd0b4d1fcd204c8a57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9acddfbe94222e09590fec2b727c943b

SHA1
0ead51bc6ad7ede3a10458868fb8098419678b81

SHA256
df28bdcc2467633df8329c6e931037acaad8902c3c3ddc9dab4d33cb8fef8ab3

SHA512
2f17ebe139e4deab5450f7146f44186bf781f6da0fa4c17eabbba86dc10205cb57de82672f69ff7e89c52ddd4b033299df6fa7315e5beeb71d950153ae8edbde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fef6b0dbec38f18629176c3d7eac63b2

SHA1
6c1251377c6b58c74eabd6bcd54cf2c9057aea0b

SHA256
f558d11ddf8d997dc6189e75c1312e448e178073cbce0aa12ebfb98b50cc3839

SHA512
bac8447521d89735addcde43b97cc859622b03e2f3ac43fb1e39cbb1ad9f8319de03da7c8153b7bf46c48c4b39fc654437837c8e56849dcadd68448403510e01

Download Submit
memory/1180-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1180-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2200-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3660-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3660-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download