Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
Resource
win10v2004-20240426-en
General
-
Target
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
-
Size
1.1MB
-
MD5
c0bf95517f48639bb739cb1570bd7205
-
SHA1
400d166d14afe3db5ad82b2608063f938a6a9865
-
SHA256
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac
-
SHA512
bcadeee5091419c93ef96ee8475411c9f40f8ed691c76e62fa2417f3306ff682491a3b66801954cbf378f13b0c1cf8b9eed6ede8c71c8c4b447f7e0e31d6fcc3
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qk:acallSllG4ZM7QzMj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 4984 svchcst.exe -
Executes dropped EXE 3 IoCs
pid Process 4984 svchcst.exe 5800 svchcst.exe 5740 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings svchcst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe 4984 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 4984 svchcst.exe 4984 svchcst.exe 5800 svchcst.exe 5800 svchcst.exe 5740 svchcst.exe 5740 svchcst.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4076 wrote to memory of 4504 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 82 PID 4076 wrote to memory of 4504 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 82 PID 4076 wrote to memory of 4504 4076 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 82 PID 4504 wrote to memory of 4984 4504 WScript.exe 90 PID 4504 wrote to memory of 4984 4504 WScript.exe 90 PID 4504 wrote to memory of 4984 4504 WScript.exe 90 PID 4984 wrote to memory of 4960 4984 svchcst.exe 91 PID 4984 wrote to memory of 4960 4984 svchcst.exe 91 PID 4984 wrote to memory of 4960 4984 svchcst.exe 91 PID 4984 wrote to memory of 3300 4984 svchcst.exe 92 PID 4984 wrote to memory of 3300 4984 svchcst.exe 92 PID 4984 wrote to memory of 3300 4984 svchcst.exe 92 PID 4960 wrote to memory of 5800 4960 WScript.exe 95 PID 4960 wrote to memory of 5800 4960 WScript.exe 95 PID 4960 wrote to memory of 5800 4960 WScript.exe 95 PID 3300 wrote to memory of 5740 3300 WScript.exe 96 PID 3300 wrote to memory of 5740 3300 WScript.exe 96 PID 3300 wrote to memory of 5740 3300 WScript.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5800
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5740
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD5d0244eea3255327ca0c7c181d36b38ad
SHA1a302f6b421088197510913b8a2e901d60ecaa12b
SHA2563cac7c5f48f3b40497fdf7a62c9e2d2d73380ab2b6b9954b8314ebbc7a313908
SHA512f2c6647e8d2ae1b9b8703b1d3166fc2c41edae031628e8335c026e07850f43052ac4bd53d24f0d136386ebeb82ebf5d557900bcd2e4398a27bd7cf76a7cfcb71
-
Filesize
696B
MD54e9605159361f93230fef3cc5ad4301c
SHA164e6d5673487e049cc4e96650b507641062ca1bf
SHA2562abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7
SHA5125cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe
-
Filesize
1.1MB
MD55858196fbaeead037ea6e9c4ab62ab10
SHA1543cb9047ecfd021ee83884ea840bb958fcca4e5
SHA256caeccc62f5f0f2bf389948848bfb66cacc9ebbc8991f92f6781dc6d6de1c7353
SHA51299a374a6edd744fa84acc056c035540e2e72105208e3ca61115e5bc4acd94bd9e1f0336ddebbd2aec6a28458b2b454dee8d3c8be0690f68d259c634d70e6b484
-
Filesize
1.1MB
MD5adc21714a4a1d8bdf33658cd6ad2b397
SHA1feb16cc031692882d36ea6126fdb04a34dde77f2
SHA25681add9c8fe7caeb7e81be1f6bd7b65660aef4baa9cdff9739138ea2c0e1e3116
SHA512c800039a3145ecb262ea4f92a8742cb39a22ad1923c357ce8fc1eb2f02bfd023bc17af6c7d51baad817a224e7aa88ea511fa398f73a14a9ae5bc4cf2847d50a1