d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db

Analysis

max time kernel
52s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
Size

1.1MB
MD5

427944e5575ac485103fc0d07b959f55
SHA1

464757e8c2ccddc6409b641ddc0d69b5d946631a
SHA256

d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db
SHA512

8277c9ba9c06376154ebace45683f914e226a9dd8a4527a8ca3025e36203786cc7ef3ecff9abb8205f97314a82bea12172b7f555425d88302cae3ee80d5fdbb4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qh:CcaClSFlG4ZM7QzMi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1132	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1132	svchcst.exe
3124	svchcst.exe
412	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
1132	svchcst.exe
1132	svchcst.exe
3124	svchcst.exe
3124	svchcst.exe
412	svchcst.exe
412	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2124	624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe	82
PID 624 wrote to memory of 2124	624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe	82
PID 624 wrote to memory of 2124	624	d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe	82
PID 2124 wrote to memory of 1132	2124	WScript.exe	86
PID 2124 wrote to memory of 1132	2124	WScript.exe	86
PID 2124 wrote to memory of 1132	2124	WScript.exe	86
PID 1132 wrote to memory of 5040	1132	svchcst.exe	87
PID 1132 wrote to memory of 5040	1132	svchcst.exe	87
PID 1132 wrote to memory of 5040	1132	svchcst.exe	87
PID 1132 wrote to memory of 5056	1132	svchcst.exe	88
PID 1132 wrote to memory of 5056	1132	svchcst.exe	88
PID 1132 wrote to memory of 5056	1132	svchcst.exe	88
PID 5056 wrote to memory of 3124	5056	WScript.exe	89
PID 5056 wrote to memory of 3124	5056	WScript.exe	89
PID 5056 wrote to memory of 3124	5056	WScript.exe	89
PID 5040 wrote to memory of 412	5040	WScript.exe	90
PID 5040 wrote to memory of 412	5040	WScript.exe	90
PID 5040 wrote to memory of 412	5040	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe
"C:\Users\Admin\AppData\Local\Temp\d30430659aa973f9fef52fdeeb17452d67ec020e04ea11cc0aab7d0e11c8e2db.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:412
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6b849a35c2dbd6e4dde5ad7cd3ebff87

SHA1
162b25d751d4eed1bd7296ca15b3ff7b95f59578

SHA256
2af5c5d6ca049c7b7bd455a65b962d6365c4ead48414e5e3f98d0f633e8cfe36

SHA512
cb8cb23b0d9090928e2cebd83457f8bc722df4e6a4d74f5633e49ff4b823ebad6ad9f9f0ed7686fa10aeb08eeed7671646ac295cf728dd94b95a74a776e145dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9fef941d545b4bd71a1ebe372fec1eea

SHA1
db18b9e5e745e7515b699bdbff891efe341dc32a

SHA256
3f6f04a181873c730893e78a8b89658c948897d348d0ed2325a0e9df88c3a313

SHA512
1533394abb8e982a306783f92ca2ca6f51045000ff762da2072f525eb276b934651a4e48967a07e143067a94ed7a1e49e4f32284ce7fc922a14afc0f4ff4d7d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dff8d7239f8fa9deac686a63f307fbc9

SHA1
1110fcb14617a6ffc7ca41c628495a6e23577802

SHA256
7623252068cae9dc12f36f4b70e864f97a605951e346f05ccbaaf18980efa4d3

SHA512
67639571b131c3377e383d5561e2e5139311b6f1c91a7249739925bd693be0a8161e04219424f6cfacdda03b724d9d3eea1318c964ffe8dc2ea31ae7fb76d2f6

Download Submit
memory/624-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download