0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
Size

1.1MB
MD5

2a58969cbd444a5d8dcfbd3f93019c83
SHA1

ca6f5198678af921cd7c089566b1b1f7f48c09db
SHA256

0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456
SHA512

4b210820fcee0e29e412f7a12d69760169b910d7be14d63679334a3af020235fd61a560e8081a3ec47a2e1e23847392eda5c3a5a8a2e3cef811184a7cde50ac2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzMp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe

Deletes itself 1 IoCs

pid	Process
4748	svchcst.exe

Executes dropped EXE 7 IoCs

pid	Process
4748	svchcst.exe
1724	svchcst.exe
3864	svchcst.exe
2940	svchcst.exe
4596	svchcst.exe
3628	svchcst.exe
1392	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe
4748	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
4748	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
4748	svchcst.exe
3864	svchcst.exe
3864	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
3628	svchcst.exe
3628	svchcst.exe
1392	svchcst.exe
1392	svchcst.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2292	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	94
PID 1572 wrote to memory of 2292	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	94
PID 1572 wrote to memory of 2292	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	94
PID 1572 wrote to memory of 3876	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	95
PID 1572 wrote to memory of 3876	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	95
PID 1572 wrote to memory of 3876	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	95
PID 1572 wrote to memory of 4496	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	96
PID 1572 wrote to memory of 4496	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	96
PID 1572 wrote to memory of 4496	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	96
PID 1572 wrote to memory of 2892	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	91
PID 1572 wrote to memory of 2892	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	91
PID 1572 wrote to memory of 2892	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	91
PID 1572 wrote to memory of 3852	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	93
PID 1572 wrote to memory of 3852	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	93
PID 1572 wrote to memory of 3852	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	93
PID 1572 wrote to memory of 4512	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	92
PID 1572 wrote to memory of 4512	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	92
PID 1572 wrote to memory of 4512	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	92
PID 1572 wrote to memory of 1212	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	97
PID 1572 wrote to memory of 1212	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	97
PID 1572 wrote to memory of 1212	1572	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	97
PID 2892 wrote to memory of 4748	2892	WScript.exe	99
PID 2892 wrote to memory of 4748	2892	WScript.exe	99
PID 2892 wrote to memory of 4748	2892	WScript.exe	99
PID 3852 wrote to memory of 1724	3852	WScript.exe	100
PID 3852 wrote to memory of 1724	3852	WScript.exe	100
PID 3852 wrote to memory of 1724	3852	WScript.exe	100
PID 4496 wrote to memory of 3864	4496	WScript.exe	101
PID 4496 wrote to memory of 3864	4496	WScript.exe	101
PID 4496 wrote to memory of 3864	4496	WScript.exe	101
PID 3876 wrote to memory of 2940	3876	WScript.exe	102
PID 3876 wrote to memory of 2940	3876	WScript.exe	102
PID 3876 wrote to memory of 2940	3876	WScript.exe	102
PID 4512 wrote to memory of 4596	4512	WScript.exe	103
PID 4512 wrote to memory of 4596	4512	WScript.exe	103
PID 4512 wrote to memory of 4596	4512	WScript.exe	103
PID 1212 wrote to memory of 3628	1212	WScript.exe	104
PID 1212 wrote to memory of 3628	1212	WScript.exe	104
PID 1212 wrote to memory of 3628	1212	WScript.exe	104
PID 2292 wrote to memory of 1392	2292	WScript.exe	105
PID 2292 wrote to memory of 1392	2292	WScript.exe	105
PID 2292 wrote to memory of 1392	2292	WScript.exe	105

C:\Users\Admin\AppData\Local\Temp\0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
"C:\Users\Admin\AppData\Local\Temp\0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1392
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2940
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c8c71ede9df3981828c2cadaee3ed682

SHA1
4f1a43a384b7b5de88b29d0d4d7d63ca0fe4af67

SHA256
7476e0d44c7a0d2b9da69b6d698eaa631de2221b3aeac97bae3bc53971c533db

SHA512
63073cb50ef471d2a6405a25ee86cd6a9f6ffa047042154284a50df7ff5a59f84c05fee93743c0ed29341013a4b6c397d025fe88a5cf30ff2ed10b0f6e9d38ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8062010534a60d16086c3509532779af

SHA1
f6f1492bf45fb3b4b2ae24b175fac19919122418

SHA256
ac9f28899706e0619ad582ba22ea38a634faded2103a724af314721822052fca

SHA512
49b51ea6c7da41d25730c03c3c151930d15e46acbb071b71ab4c2a5790125ec493a85a3e7cf088946a6288e0485713eaf298fe212a9eca95e8c75c360be74ce9

Download Submit
memory/1572-20-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1572-21-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download