2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
Size

1.1MB
MD5

c8cf72a17c845608bfdbc128b918ee34
SHA1

2868f3e4ec8b4ff0261b74dbfb490351df41afce
SHA256

2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf
SHA512

5983a8a0d47b72c90c645414d1edb3a9fd954b9910add052f1ebbfcb1118f3fc7287bb11b1eaca66bbe761339c6e38f93946fbb9f67154db1ffd92416be2efae
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3284	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
3284	svchcst.exe
4788	svchcst.exe
2920	svchcst.exe
444	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe
3284	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
3284	svchcst.exe
3284	svchcst.exe
4788	svchcst.exe
4788	svchcst.exe
2920	svchcst.exe
2920	svchcst.exe
444	svchcst.exe
444	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3288	1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe	82
PID 1612 wrote to memory of 3288	1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe	82
PID 1612 wrote to memory of 3288	1612	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe	82
PID 3288 wrote to memory of 3284	3288	WScript.exe	90
PID 3288 wrote to memory of 3284	3288	WScript.exe	90
PID 3288 wrote to memory of 3284	3288	WScript.exe	90
PID 3284 wrote to memory of 4528	3284	svchcst.exe	93
PID 3284 wrote to memory of 4528	3284	svchcst.exe	93
PID 3284 wrote to memory of 4528	3284	svchcst.exe	93
PID 4528 wrote to memory of 4788	4528	WScript.exe	94
PID 4528 wrote to memory of 4788	4528	WScript.exe	94
PID 4528 wrote to memory of 4788	4528	WScript.exe	94
PID 4788 wrote to memory of 4316	4788	svchcst.exe	95
PID 4788 wrote to memory of 4316	4788	svchcst.exe	95
PID 4788 wrote to memory of 4316	4788	svchcst.exe	95
PID 4788 wrote to memory of 724	4788	svchcst.exe	96
PID 4788 wrote to memory of 724	4788	svchcst.exe	96
PID 4788 wrote to memory of 724	4788	svchcst.exe	96
PID 724 wrote to memory of 2920	724	WScript.exe	97
PID 724 wrote to memory of 2920	724	WScript.exe	97
PID 724 wrote to memory of 2920	724	WScript.exe	97
PID 4316 wrote to memory of 444	4316	WScript.exe	98
PID 4316 wrote to memory of 444	4316	WScript.exe	98
PID 4316 wrote to memory of 444	4316	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
"C:\Users\Admin\AppData\Local\Temp\2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:444
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f31437e9c4417d05234101e1dcd426fd

SHA1
8b06b3b0c1d4534172e9da78b89f831892b5ff2d

SHA256
e78432a930eceddbf6ccec5f2435cb2d36c9cc35223c0eb85873a204ac994123

SHA512
6390c21112ad9d5636876aa0426db4cde674eebf1127c74d8e774c824c7239c11467a599578bc446b3d034b38cc0bc60d3b51e36924724ea5c93f98864647f8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
28da936977a4e633dccc3fa37056d9de

SHA1
6766f4f68b2d4992ec9712fc4a72fce94d362b8b

SHA256
9d6d2616f0263d64b58fba283c04c05d2fecde95f4873a0beff64219048513cc

SHA512
fccdfa2b0f06aec30dc8e8ec0a1fc143ddf9bd0d6aecd18e81e757d84f683145897bf452237ea61af8930bb9a0bc0b658e79ed5910cb3a2f2b8d0fd3df8b1093

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2740375597b45a7a9d4ebc4d262d7b83

SHA1
c9e1b16e465a25f4d52187efe658aa558f31822b

SHA256
8ea1ea1236c040905934b039e8fdfb7bd8e074567213a743e9c7b4b6a7684dc3

SHA512
0895a4d770c31722cc5f5426e989620db000359cfd3bf375b2b4e0641474468365fb6abc4db82ee56f59a7e216490cf97bb3b7eec5ed9f369f85aa56ed2ee58c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f895434732ae3c75629932452d059905

SHA1
0f21ac26567fa640b78e90e15b66ffe7625912dc

SHA256
fab37b7df00a18e054ab3a1c1900c7e0e76eee89ef525b7e945db560625f8292

SHA512
c2517128d9bd8e0223e44f6dc8c966b85fecde218b18fc2169eea1f3274fac6516f3e68ed8c5a33fc244b11966b611ee694bb385ee649354a105974e711acbb7

Download Submit
memory/444-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/444-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1612-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1612-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2920-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3284-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3284-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4788-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download