aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
Size

1.1MB
MD5

0891170adf7f735d1fe4e57ac5185782
SHA1

96320ee9e3524fccba12321ad55bc9b5fe186dc5
SHA256

aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39
SHA512

0f38b03f8ad6d97d662ee56b40ff7a16ea6481b77e34bb1fab69a7ce5eba9254e4bb15d88b9fddbc4e1aa96b4c1aad18ddb281327058fb4e75ae9d7e2c065a91
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QX:CcaClSFlG4ZM7QzMw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2656	svchcst.exe
1544	svchcst.exe
2444	svchcst.exe
2588	svchcst.exe
580	svchcst.exe
2084	svchcst.exe
2132	svchcst.exe
2040	svchcst.exe
2624	svchcst.exe
2080	svchcst.exe
1580	svchcst.exe
376	svchcst.exe
2556	svchcst.exe
1732	svchcst.exe
540	svchcst.exe
1724	svchcst.exe
1508	svchcst.exe
2952	svchcst.exe
2560	svchcst.exe
1420	svchcst.exe
608	svchcst.exe
592	svchcst.exe
1408	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2580	WScript.exe
2580	WScript.exe
2608	WScript.exe
2608	WScript.exe
2200	WScript.exe
2200	WScript.exe
1328	WScript.exe
1328	WScript.exe
1232	WScript.exe
1232	WScript.exe
1076	WScript.exe
1076	WScript.exe
1012	WScript.exe
1012	WScript.exe
1836	WScript.exe
1836	WScript.exe
2180	WScript.exe
2180	WScript.exe
2192	WScript.exe
2192	WScript.exe
2248	WScript.exe
2248	WScript.exe
1448	WScript.exe
1448	WScript.exe
2368	WScript.exe
2368	WScript.exe
2372	WScript.exe
2372	WScript.exe
1132	WScript.exe
1132	WScript.exe
3024	WScript.exe
3024	WScript.exe
564	WScript.exe
564	WScript.exe
1320	WScript.exe
1320	WScript.exe
2544	WScript.exe
2544	WScript.exe
2220	WScript.exe
2220	WScript.exe
2420	WScript.exe
2420	WScript.exe
1676	WScript.exe
1676	WScript.exe
2432	WScript.exe
2432	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
2656	svchcst.exe
2656	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
580	svchcst.exe
580	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2080	svchcst.exe
2080	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
376	svchcst.exe
376	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
540	svchcst.exe
540	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
1420	svchcst.exe
1420	svchcst.exe
608	svchcst.exe
608	svchcst.exe
592	svchcst.exe
592	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2580	1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe	28
PID 1616 wrote to memory of 2580	1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe	28
PID 1616 wrote to memory of 2580	1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe	28
PID 1616 wrote to memory of 2580	1616	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe	28
PID 2580 wrote to memory of 2656	2580	WScript.exe	30
PID 2580 wrote to memory of 2656	2580	WScript.exe	30
PID 2580 wrote to memory of 2656	2580	WScript.exe	30
PID 2580 wrote to memory of 2656	2580	WScript.exe	30
PID 2656 wrote to memory of 2608	2656	svchcst.exe	31
PID 2656 wrote to memory of 2608	2656	svchcst.exe	31
PID 2656 wrote to memory of 2608	2656	svchcst.exe	31
PID 2656 wrote to memory of 2608	2656	svchcst.exe	31
PID 2608 wrote to memory of 1544	2608	WScript.exe	32
PID 2608 wrote to memory of 1544	2608	WScript.exe	32
PID 2608 wrote to memory of 1544	2608	WScript.exe	32
PID 2608 wrote to memory of 1544	2608	WScript.exe	32
PID 1544 wrote to memory of 2200	1544	svchcst.exe	33
PID 1544 wrote to memory of 2200	1544	svchcst.exe	33
PID 1544 wrote to memory of 2200	1544	svchcst.exe	33
PID 1544 wrote to memory of 2200	1544	svchcst.exe	33
PID 2200 wrote to memory of 2444	2200	WScript.exe	34
PID 2200 wrote to memory of 2444	2200	WScript.exe	34
PID 2200 wrote to memory of 2444	2200	WScript.exe	34
PID 2200 wrote to memory of 2444	2200	WScript.exe	34
PID 2444 wrote to memory of 1328	2444	svchcst.exe	35
PID 2444 wrote to memory of 1328	2444	svchcst.exe	35
PID 2444 wrote to memory of 1328	2444	svchcst.exe	35
PID 2444 wrote to memory of 1328	2444	svchcst.exe	35
PID 1328 wrote to memory of 2588	1328	WScript.exe	36
PID 1328 wrote to memory of 2588	1328	WScript.exe	36
PID 1328 wrote to memory of 2588	1328	WScript.exe	36
PID 1328 wrote to memory of 2588	1328	WScript.exe	36
PID 2588 wrote to memory of 1232	2588	svchcst.exe	37
PID 2588 wrote to memory of 1232	2588	svchcst.exe	37
PID 2588 wrote to memory of 1232	2588	svchcst.exe	37
PID 2588 wrote to memory of 1232	2588	svchcst.exe	37
PID 1232 wrote to memory of 580	1232	WScript.exe	38
PID 1232 wrote to memory of 580	1232	WScript.exe	38
PID 1232 wrote to memory of 580	1232	WScript.exe	38
PID 1232 wrote to memory of 580	1232	WScript.exe	38
PID 580 wrote to memory of 1076	580	svchcst.exe	39
PID 580 wrote to memory of 1076	580	svchcst.exe	39
PID 580 wrote to memory of 1076	580	svchcst.exe	39
PID 580 wrote to memory of 1076	580	svchcst.exe	39
PID 1076 wrote to memory of 2084	1076	WScript.exe	40
PID 1076 wrote to memory of 2084	1076	WScript.exe	40
PID 1076 wrote to memory of 2084	1076	WScript.exe	40
PID 1076 wrote to memory of 2084	1076	WScript.exe	40
PID 2084 wrote to memory of 1012	2084	svchcst.exe	41
PID 2084 wrote to memory of 1012	2084	svchcst.exe	41
PID 2084 wrote to memory of 1012	2084	svchcst.exe	41
PID 2084 wrote to memory of 1012	2084	svchcst.exe	41
PID 1012 wrote to memory of 2132	1012	WScript.exe	42
PID 1012 wrote to memory of 2132	1012	WScript.exe	42
PID 1012 wrote to memory of 2132	1012	WScript.exe	42
PID 1012 wrote to memory of 2132	1012	WScript.exe	42
PID 2132 wrote to memory of 1836	2132	svchcst.exe	43
PID 2132 wrote to memory of 1836	2132	svchcst.exe	43
PID 2132 wrote to memory of 1836	2132	svchcst.exe	43
PID 2132 wrote to memory of 1836	2132	svchcst.exe	43
PID 1836 wrote to memory of 2040	1836	WScript.exe	46
PID 1836 wrote to memory of 2040	1836	WScript.exe	46
PID 1836 wrote to memory of 2040	1836	WScript.exe	46
PID 1836 wrote to memory of 2040	1836	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
"C:\Users\Admin\AppData\Local\Temp\aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2c8a75c13479cf9177aaeaf3dcc56aba

SHA1
be5a1fc5732eb5eba5c829e2c3bb535255006058

SHA256
753ebb6d62babb6f186cde426bd3a585e73d675b0d9e64b296d44d6a7d529fc2

SHA512
45cbf273b356bef63425a044108ba3fc1457799cdfb0672ffbd75d8b8d9c5c10b6c9ffad80d05f20ee5d42c8f58eda423735d6f3fd697f623872a28d88ff409a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b0ce686b0d391285925eaf7b0e75a39b

SHA1
748ceff2113314fdacd33b004f9b8ee6bd34dee8

SHA256
a50561eaf675b323c27632c100aa9ef69acd71e9cb01f6955c3bb34b2dff09dd

SHA512
f73d0fcefe6937b8e5f0dfd8b2bf680536ed11fcc5dfc3ecd8f8d5b5293c6f1d2d0133f3ed8066f1643b89fbddb01eb8b460c46cdca224d145165340c5f7a7e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c2165e78a1985197f438b9fc992cce48

SHA1
a93e1f5f5fed134a9fb06033876caf3b981f3358

SHA256
489534f7733e0634c2db4f1c6739d80cf5794cba61dda3ff7c920af1d45859bc

SHA512
64e96c1e807f5cc1977540d0528b430e3cac769ff87ac793643b23e1f9e4ebcfbfb0d1add61b964d837fdc6530ab780d8e966bb903a7f19b264d08c60c7c9425

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5d76b10cc94e8857aaa12b29f5b14dd0

SHA1
3c8357d488393ef4eb7241f3bb7027325266ca79

SHA256
16248f8f6ab75e7e1e1aa3f8b1a755a58a4e73c9b24098af6dacbe60f5197874

SHA512
70753cbd35a425b16d2a8b1cdb16fec8c96fd621845c9d8fcc250f4adaab9f4a8a5240e640980843806feb7d7e07f7f23789baabfc5e0b45ac85214bc1d7ff61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
81ee4b57869a8b5a30f5b09f349a52be

SHA1
34b80bd5cce1fbd60c4aad2edde71b74ac92b3e1

SHA256
04870bf649d72e4282d50695161cacc5af175fc3b670ea0c7104212ab1ff5329

SHA512
809ebe9bb0d0bab654ac1d533ee2d8daa49e041b72e821fc7b7440535efd99ca0d24e86be737ffe11f7de5649185d7db23805e0897bcdda0fc2ed0be0668a1ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
875a7c16484c947cdca7420a99576152

SHA1
af1d032abbaffa2b17d4fcb54a0e8be7e2d0ced5

SHA256
4c5b1e356134e9183f7b2e3f99b048cb6eb1af7ea41ca783a5ea46c60d996268

SHA512
03117de00dcd0599d22a63167a136631efa4598a77f05cce9be325d5da7e566ae875327fe6b900f9e87c9f61ac81013889e350e51aa379b59d394f71a292ce29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da7f8a1c2a94d1a3f678be45cbde6d09

SHA1
ee11f2d41c95963bb9d6cc469f2de9c73fcf50c4

SHA256
cf0951e996da2b8007edcd6c247e1596df05c50d0ac84da41f7d1bd0ff4b0ba3

SHA512
dfaf6d70f3687f30a7ac6659d02e8e07a4767ca47dca23c663ec760b987f6efaf49ee40c3de3f0297c2049e5c2178ff12d4117052c1a3997e2eabfe64f227e7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
825b54c2c1802d28a2169f8637f2e21d

SHA1
849009902c2ba08fa0924ff5fae8b60513c69a81

SHA256
a1571d81c7503ce980ce645c4dc65f5676dce7be195dd9f2866f83375b59e05a

SHA512
0356ca8ee834b5121a2e68b0174c0692821d451037399a9de21675123182dac382a8a0ac58f724a4725d8e07cbc876df81a6dca042bee50cb93425ebca35adca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8a43366a2b62d1549947ec3b4bd58bfe

SHA1
70306058f4998683d827ae178ce2b552dd1a4aa1

SHA256
baab233529c91ef2a91f97ac2c29a49e3a98470a08aa32554cbabfec8c52f67c

SHA512
6252a4c62a8495df191ea6b23b72ee093a412624c8e7c8354a30ed2abca66f10c194b2c6d16faa11418bc5bcd82834b45fc8ae8e684a20e93e3798559d010222

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1695d003166ce93876ccd3d1b2961b8a

SHA1
683ac1ae633305589f2f3db626a42b099963079c

SHA256
0efc4e9a696f209a7593974fd2ddcd7639d870b2d0c280d672398f76f4ad6740

SHA512
bb24b0a3e5f749c0a9a6ec382680c93f14234cc2ea29a7e7a03ab5c4912d6854afde739d38c1c97f1f135283d13103dfcb27ff72bb0d11f46a03df81d3516241

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4db8f1756bfc7fbdf09e7a4e398a69e8

SHA1
b7599b0b715bfaec6d6150076409335fc375173b

SHA256
8dd58c65bcd942f5b693f57191aa8f9ab62847590a58143513a8e935d1d53718

SHA512
27e9d5251b8f31da58b35580103697a6586e3f35bb55b601993c3f29f571e477a7a37e89471ad915ff9b0b2dbdfc5980f2be7c594ab74bb13d990207d1707679

Download Submit
memory/1616-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download