43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
Size

1.1MB
MD5

6bfbe52166fef78db443fa067727d251
SHA1

f9feb5267e839258d5882da390222b46faf1c43d
SHA256

43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f
SHA512

76faf7440b4519bbbf63d46a371e15229a984492b5084e852431737a180ea2e5d5c4d9d2000bc19c5f55eb1f09a1dec3207a30f0a2d094c3a5c9a52a506a7d12
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Ql:acallSllG4ZM7QzMO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2132	svchcst.exe

Executes dropped EXE 6 IoCs

pid	Process
1384	svchcst.exe
2132	svchcst.exe
4040	svchcst.exe
3500	svchcst.exe
1580	svchcst.exe
4664	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
2132	svchcst.exe
2132	svchcst.exe
1384	svchcst.exe
1384	svchcst.exe
4040	svchcst.exe
4040	svchcst.exe
3500	svchcst.exe
3500	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
4664	svchcst.exe
4664	svchcst.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4820	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	95
PID 3892 wrote to memory of 4820	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	95
PID 3892 wrote to memory of 4820	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	95
PID 3892 wrote to memory of 3324	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	94
PID 3892 wrote to memory of 3324	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	94
PID 3892 wrote to memory of 3324	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	94
PID 3892 wrote to memory of 1948	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	93
PID 3892 wrote to memory of 1948	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	93
PID 3892 wrote to memory of 1948	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	93
PID 3892 wrote to memory of 1576	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	92
PID 3892 wrote to memory of 1576	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	92
PID 3892 wrote to memory of 1576	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	92
PID 3892 wrote to memory of 3356	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	91
PID 3892 wrote to memory of 3356	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	91
PID 3892 wrote to memory of 3356	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	91
PID 3892 wrote to memory of 4780	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	96
PID 3892 wrote to memory of 4780	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	96
PID 3892 wrote to memory of 4780	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	96
PID 3892 wrote to memory of 1680	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	90
PID 3892 wrote to memory of 1680	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	90
PID 3892 wrote to memory of 1680	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	90
PID 3892 wrote to memory of 544	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	97
PID 3892 wrote to memory of 544	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	97
PID 3892 wrote to memory of 544	3892	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	97
PID 3324 wrote to memory of 1384	3324	WScript.exe	99
PID 3324 wrote to memory of 1384	3324	WScript.exe	99
PID 3324 wrote to memory of 1384	3324	WScript.exe	99
PID 1576 wrote to memory of 2132	1576	WScript.exe	100
PID 1576 wrote to memory of 2132	1576	WScript.exe	100
PID 1576 wrote to memory of 2132	1576	WScript.exe	100
PID 4820 wrote to memory of 4040	4820	WScript.exe	101
PID 4820 wrote to memory of 4040	4820	WScript.exe	101
PID 4820 wrote to memory of 4040	4820	WScript.exe	101
PID 3356 wrote to memory of 3500	3356	WScript.exe	102
PID 3356 wrote to memory of 3500	3356	WScript.exe	102
PID 3356 wrote to memory of 3500	3356	WScript.exe	102
PID 544 wrote to memory of 1580	544	WScript.exe	103
PID 544 wrote to memory of 1580	544	WScript.exe	103
PID 544 wrote to memory of 1580	544	WScript.exe	103
PID 4780 wrote to memory of 4664	4780	WScript.exe	104
PID 4780 wrote to memory of 4664	4780	WScript.exe	104
PID 4780 wrote to memory of 4664	4780	WScript.exe	104

C:\Users\Admin\AppData\Local\Temp\43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
"C:\Users\Admin\AppData\Local\Temp\43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bd5cfd5daa3f0ba412f6d331787ceb16

SHA1
733a9afa493f0ca553cc0313daa87ab1b26a764d

SHA256
35897c5a03daf36f578c3405d8c7fd78957e3aa1b74d4f61673bb51ebcfb10b1

SHA512
4be36ea21c87e436511b1730ec68bda6477d1bceb54178d43a03ef05d71425b4f5f2b1d2f404ca341a71a9bc3b51117aaaaabd4292219895bcabad46602f7e85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bda235f6f758119b3c8489069246255c

SHA1
15920e046e5560cfef7a389f2fe3142035380080

SHA256
7301021046582497213d38e3a07fd36f708bf1c3873d29970d0e0fa1edbe595c

SHA512
705011e4e29418e7bda4258e0ba826afd3472abfe27b6549218b00d535db910df07f3796d632bf28eb06eb4552f21a111fcf39cbd199e4096ff967fb9b5ff825

Download Submit
memory/1384-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1384-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1580-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3500-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3500-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3892-5-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3892-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3892-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4040-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4040-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4664-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4664-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download