aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
Size

1.1MB
MD5

0891170adf7f735d1fe4e57ac5185782
SHA1

96320ee9e3524fccba12321ad55bc9b5fe186dc5
SHA256

aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39
SHA512

0f38b03f8ad6d97d662ee56b40ff7a16ea6481b77e34bb1fab69a7ce5eba9254e4bb15d88b9fddbc4e1aa96b4c1aad18ddb281327058fb4e75ae9d7e2c065a91
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QX:CcaClSFlG4ZM7QzMw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
1584	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1584	svchcst.exe
3888	svchcst.exe
1064	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
1584	svchcst.exe
1584	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1952	2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe	85
PID 2296 wrote to memory of 1952	2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe	85
PID 2296 wrote to memory of 1952	2296	aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe	85
PID 1952 wrote to memory of 1584	1952	WScript.exe	91
PID 1952 wrote to memory of 1584	1952	WScript.exe	91
PID 1952 wrote to memory of 1584	1952	WScript.exe	91
PID 1584 wrote to memory of 852	1584	svchcst.exe	92
PID 1584 wrote to memory of 852	1584	svchcst.exe	92
PID 1584 wrote to memory of 852	1584	svchcst.exe	92
PID 1584 wrote to memory of 1940	1584	svchcst.exe	93
PID 1584 wrote to memory of 1940	1584	svchcst.exe	93
PID 1584 wrote to memory of 1940	1584	svchcst.exe	93
PID 852 wrote to memory of 3888	852	WScript.exe	96
PID 852 wrote to memory of 3888	852	WScript.exe	96
PID 852 wrote to memory of 3888	852	WScript.exe	96
PID 1940 wrote to memory of 1064	1940	WScript.exe	97
PID 1940 wrote to memory of 1064	1940	WScript.exe	97
PID 1940 wrote to memory of 1064	1940	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe
"C:\Users\Admin\AppData\Local\Temp\aba3b565d9f3a39001a42ad2a65fd9af71a5f5fbfe263fb01376c23c1ccf2e39.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3888
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1582a0e4d82b5ad1850d7634d0f20d1b

SHA1
3d25d21e7f85af1b4aaa9107a5a6b04aba93f17f

SHA256
3e4f2dd7b0c7b9fee0c383a3a8abfbf513937e189f589285f10eac44ae6f48f7

SHA512
7bb52aaecc7a22f7fd402b541e0b56ec04a649878765d42c32de975baa747efb222a1b9c9759460a60663c9539f1d0bfc70f7520e035874444fb8062be3853b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
65f5096a1c433e8ab1754390ec230b0a

SHA1
c80faed1e23d4d35af32b937d623fa264aa1d709

SHA256
ac3c7f1968bb410dde9fe6ea4d821bf91286d22bbe6bfec675e03163239dd590

SHA512
19042400457d525954e7bb4ce1a1d984d7648f5cf59faf89e3d9520716f369cf9da30d72c98d3dbfa39b190625b4ada6b00ba2c81d823cfdb46b27439fe0badc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3059add927c25628b46e37166d8cbee6

SHA1
96723062fd69bc9a542e7471f602ecb979fdb058

SHA256
c769b098b731fe7fbeec5f2c8f217d1075f8c63410de4de450d44d0773858c56

SHA512
e6ae638911a042fc1694b831c199abc6a4bb453fdae45f5e71918e9ae2f1bd4f63b1cbef61f93dcbd16a97dfce7fcb54f3d9b35b002befcf9147bd32997b5878

Download Submit
memory/2296-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download