46f7da65bf81989c7ede6b4334001f8aa00b653fbaf0db3140fcc69ed3823f16

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_674a11f635db806d387615a07aa68330.exe
Size

1.1MB
MD5

674a11f635db806d387615a07aa68330
SHA1

29a0a86f4c7188ba370a57e01563393201887604
SHA256

46f7da65bf81989c7ede6b4334001f8aa00b653fbaf0db3140fcc69ed3823f16
SHA512

809aad9dce32c8f43844f17f2d8eb7222d6ffc92c5ed7b81487f295ba31b054f93c49b0a4d9de207c9f015048a40b25ca7bc69df4f44da22b0163fbb83aef683
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzM4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	virussign.com_674a11f635db806d387615a07aa68330.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
380	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
380	svchcst.exe
3560	svchcst.exe
4816	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	virussign.com_674a11f635db806d387615a07aa68330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	virussign.com_674a11f635db806d387615a07aa68330.exe
2652	virussign.com_674a11f635db806d387615a07aa68330.exe
2652	virussign.com_674a11f635db806d387615a07aa68330.exe
2652	virussign.com_674a11f635db806d387615a07aa68330.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe
380	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2652	virussign.com_674a11f635db806d387615a07aa68330.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2652	virussign.com_674a11f635db806d387615a07aa68330.exe
2652	virussign.com_674a11f635db806d387615a07aa68330.exe
380	svchcst.exe
380	svchcst.exe
3560	svchcst.exe
3560	svchcst.exe
4816	svchcst.exe
4816	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3352	2652	virussign.com_674a11f635db806d387615a07aa68330.exe	83
PID 2652 wrote to memory of 3352	2652	virussign.com_674a11f635db806d387615a07aa68330.exe	83
PID 2652 wrote to memory of 3352	2652	virussign.com_674a11f635db806d387615a07aa68330.exe	83
PID 3352 wrote to memory of 380	3352	WScript.exe	92
PID 3352 wrote to memory of 380	3352	WScript.exe	92
PID 3352 wrote to memory of 380	3352	WScript.exe	92
PID 380 wrote to memory of 968	380	svchcst.exe	94
PID 380 wrote to memory of 968	380	svchcst.exe	94
PID 380 wrote to memory of 968	380	svchcst.exe	94
PID 380 wrote to memory of 736	380	svchcst.exe	93
PID 380 wrote to memory of 736	380	svchcst.exe	93
PID 380 wrote to memory of 736	380	svchcst.exe	93
PID 968 wrote to memory of 3560	968	WScript.exe	97
PID 968 wrote to memory of 3560	968	WScript.exe	97
PID 968 wrote to memory of 3560	968	WScript.exe	97
PID 736 wrote to memory of 4816	736	WScript.exe	98
PID 736 wrote to memory of 4816	736	WScript.exe	98
PID 736 wrote to memory of 4816	736	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\virussign.com_674a11f635db806d387615a07aa68330.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_674a11f635db806d387615a07aa68330.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:736
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
735B

MD5
64e0e8e9f7b147d92ff9ad990189d507

SHA1
50c2b50b17a0fd59a00780bdfc3c1c4ea2dc0f2a

SHA256
d0422595c884305ba8fa791b3fb5a775036727cbdd3dbdf5f4020495dc933fa6

SHA512
bb61213234f83ce967eaea4863bba1d6c5a5a7aeb1651d8a809889a158a2408d8cb03aae048af84f2525278dcef534caf0fca057b411d2ae9f12ca79a75edfca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
187b04906211b7aae18dc9df17dcbd03

SHA1
4e0094b071f3a46e0d0405830ff5b70cf2262bf5

SHA256
118a83294ec547ee5fda45709ee99253e621a200d896fc2debed860d6503107a

SHA512
25b6bfe357c0b1fa5955697810d0055ccc8b0b1bbcd773c28db0a0a08bdb3236c1637901501a8f050651d051718ec80ec1e1c2605db8ecae1e432f1b58c5bf6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
738ad150fbae334c8d20025d2204e785

SHA1
95b026a3f2910d4de5f2fd80eb8eb0902061e408

SHA256
efa17da2d94f12da705c80bcc582a6c535e4f127d0c5e061ffb837442c9f8bef

SHA512
94e0f1391ca95d24665232b4a7422d621191931a7e746bd16cfce306a41569ffcfbd98ab3bc209be93a6892fac15cfcfa7904237588f87b823a7492e0e7323d2

Download Submit
memory/2652-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download