02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
Size

1.1MB
MD5

6e175ef9d507ed111b10260035c402ec
SHA1

cc5c7789ebd5d0510c0f9405ce43bc9acb64f043
SHA256

02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554
SHA512

cab9d8a0dd9a76d51c3cf29fcb0505e2297391e85bb7ed09c6e2868afa538d3a5978c9ddf53b386a1e82ef600157fb2daa7b0343aeeaf5dd33814a8266c06aa3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q4:acallSllG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
612	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
612	svchcst.exe
4800	svchcst.exe
856	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe
612	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
612	svchcst.exe
612	svchcst.exe
4800	svchcst.exe
4800	svchcst.exe
856	svchcst.exe
856	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 3492	1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe	80
PID 1824 wrote to memory of 3492	1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe	80
PID 1824 wrote to memory of 3492	1824	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe	80
PID 3492 wrote to memory of 612	3492	WScript.exe	85
PID 3492 wrote to memory of 612	3492	WScript.exe	85
PID 3492 wrote to memory of 612	3492	WScript.exe	85
PID 612 wrote to memory of 4516	612	svchcst.exe	86
PID 612 wrote to memory of 4516	612	svchcst.exe	86
PID 612 wrote to memory of 4516	612	svchcst.exe	86
PID 612 wrote to memory of 3512	612	svchcst.exe	87
PID 612 wrote to memory of 3512	612	svchcst.exe	87
PID 612 wrote to memory of 3512	612	svchcst.exe	87
PID 3512 wrote to memory of 4800	3512	WScript.exe	91
PID 3512 wrote to memory of 4800	3512	WScript.exe	91
PID 3512 wrote to memory of 4800	3512	WScript.exe	91
PID 4516 wrote to memory of 856	4516	WScript.exe	92
PID 4516 wrote to memory of 856	4516	WScript.exe	92
PID 4516 wrote to memory of 856	4516	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
"C:\Users\Admin\AppData\Local\Temp\02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
be967c6e1101a6f1c073e3590cac9867

SHA1
e16b509497965e733bdcdaa650e17dbf45aa5476

SHA256
40aa5bd6931686c2b4132820e8d1f35168bc31cf4070cafca8ce3d8829253d3d

SHA512
417856b1b57b0734006456f10b272c2918af42ced8ea327ce5a51cea0641ad9927a30672a9c93057d8e17dd277f8f4dc601defa012fcf9c103243ad0bac36a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0e43f10a01a8cb9cbc7a040fee528f19

SHA1
76333685b006da5a02a0c726736868acd317162b

SHA256
85ddf6bc50f67ad3beeb061f35286feb569d377e4799f899d8d9f92f004046bb

SHA512
4f15027a78541e68519a014897774e77df4dee40af840992c6aeea65613edd5826fcdb40a40c5631045fd3b6e66862f455d4e64940a30997d345b3d28801ba18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3f0ba3ec370b816d67c0db63256bb3f3

SHA1
3229177899b32dfbd209abb6de7f01de7d5dfc96

SHA256
6c1842cee701ad85d888016391ca74980081050fcfa90b1ce4f9f65b4e95f49f

SHA512
c523723a5fca79e033d9088f1e5c9d8a357ed4bde5810b14722f736f331163cc70817acee8b3a1bb06c629443c11f77d485a2048bdecfe2a484bb1923e541c00

Download Submit
memory/612-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1824-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1824-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4800-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4800-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download