8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f

Analysis

max time kernel
94s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
Size

1.1MB
MD5

a287f6e56d12a9fabca2938e6b3d9061
SHA1

20d6adbc291fc085cbbecfe25622df117594e156
SHA256

8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f
SHA512

824ff3f7e1adc45f00525e9fbea1779840da43b01091c2074fda8bffd8a4fca315717d50c915f4a7af41fc08d5e87783d5e6f4fbcc0b25f5bb3315b99d767327
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QA:acallSllG4ZM7QzMH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2176	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
436	svchcst.exe
2176	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
436	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
436	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4144	3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	83
PID 3120 wrote to memory of 4144	3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	83
PID 3120 wrote to memory of 4144	3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	83
PID 3120 wrote to memory of 2916	3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	84
PID 3120 wrote to memory of 2916	3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	84
PID 3120 wrote to memory of 2916	3120	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	84
PID 4144 wrote to memory of 436	4144	WScript.exe	88
PID 4144 wrote to memory of 436	4144	WScript.exe	88
PID 4144 wrote to memory of 436	4144	WScript.exe	88
PID 2916 wrote to memory of 2176	2916	WScript.exe	89
PID 2916 wrote to memory of 2176	2916	WScript.exe	89
PID 2916 wrote to memory of 2176	2916	WScript.exe	89

C:\Users\Admin\AppData\Local\Temp\8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
"C:\Users\Admin\AppData\Local\Temp\8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c9f28d2edd53d47fccecd8247d216e5f

SHA1
e5ebc899d53d942cb9a722df3f9fd7526c85e000

SHA256
4cdee2e9620d988d4ca3018ccbcee5af5808de3178e6b45af876a1ff949ff4c8

SHA512
1d9f73311982975ff66548d05f8b7fd2f5d955c530e36230dcb0e25c97701b40626f94439850fba5efd8a051e17fdb011ec65052aab7ee9a4edd25f5e20bb149

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
998f1e48dccbfc60464212afb2b5769a

SHA1
258ee61512305656988b09277442a3e81b3dc489

SHA256
d66e84030896fbf4073678d3b7f9423399175aacf939e163bbb4c8dcd54436fc

SHA512
a18912ba0c2c3d7d0691209e1a8d6e0af71333c7bf2009cd512e24988bfad38bfcd867685bd8f93f57db271f3fc2e499236c298208cf2397947cd26873a63698

Download Submit
memory/436-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3120-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3120-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download