36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
Size

1.1MB
MD5

7f4b2577fc27cfcf5a567c2d68352589
SHA1

800254e4a2bb413a2f7303018d43afe0e9af6529
SHA256

36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10
SHA512

01ea2227ea77286a4fc74e5671a578fb3033a9df286268f7f6497327e3d1e2b06d9d2f58cc5e0c8a91435e93a5904e67a649dff346238d401d70633425e50a9e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
756	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
756	svchcst.exe
2864	svchcst.exe
2924	svchcst.exe
3980	svchcst.exe
4768	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe
756	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
756	svchcst.exe
756	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
3980	svchcst.exe
4768	svchcst.exe
4768	svchcst.exe
3980	svchcst.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2780	3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe	83
PID 3520 wrote to memory of 2780	3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe	83
PID 3520 wrote to memory of 2780	3520	36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe	83
PID 2780 wrote to memory of 756	2780	WScript.exe	88
PID 2780 wrote to memory of 756	2780	WScript.exe	88
PID 2780 wrote to memory of 756	2780	WScript.exe	88
PID 756 wrote to memory of 3656	756	svchcst.exe	89
PID 756 wrote to memory of 3656	756	svchcst.exe	89
PID 756 wrote to memory of 3656	756	svchcst.exe	89
PID 756 wrote to memory of 2416	756	svchcst.exe	90
PID 756 wrote to memory of 2416	756	svchcst.exe	90
PID 756 wrote to memory of 2416	756	svchcst.exe	90
PID 3656 wrote to memory of 2864	3656	WScript.exe	91
PID 3656 wrote to memory of 2864	3656	WScript.exe	91
PID 3656 wrote to memory of 2864	3656	WScript.exe	91
PID 2416 wrote to memory of 2924	2416	WScript.exe	92
PID 2416 wrote to memory of 2924	2416	WScript.exe	92
PID 2416 wrote to memory of 2924	2416	WScript.exe	92
PID 2864 wrote to memory of 1800	2864	svchcst.exe	93
PID 2864 wrote to memory of 1800	2864	svchcst.exe	93
PID 2864 wrote to memory of 1800	2864	svchcst.exe	93
PID 2864 wrote to memory of 1416	2864	svchcst.exe	94
PID 2864 wrote to memory of 1416	2864	svchcst.exe	94
PID 2864 wrote to memory of 1416	2864	svchcst.exe	94
PID 1800 wrote to memory of 3980	1800	WScript.exe	95
PID 1800 wrote to memory of 3980	1800	WScript.exe	95
PID 1800 wrote to memory of 3980	1800	WScript.exe	95
PID 1416 wrote to memory of 4768	1416	WScript.exe	96
PID 1416 wrote to memory of 4768	1416	WScript.exe	96
PID 1416 wrote to memory of 4768	1416	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe
"C:\Users\Admin\AppData\Local\Temp\36a66ca9c7b439d5f9d544db77731d46951517b0797e335a201c8953851c3a10.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3656
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3980
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4768
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c84a24db4b74c078cdffbd097c26b45a

SHA1
dbb670b42316136db81258279631e6114e6eb780

SHA256
882a32184fb1531644097a03c5c2793634472ba956d7f3e75961708a15f53ad6

SHA512
601956d48e2aefaae2ed4e8e5ae32b8fcdd4863aa832d9c0cb63be324986c4acfeaa6b0ce379619cdba2c74b6f23227657b84605c40fccb7ffe8fc773abb68e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d0f2bfddf139c28ff5072924a33087c5

SHA1
873e452cc63f54f1a8cee0954af1ce487e0029fe

SHA256
897be6fd3431ffb0da26b458d8d9685237dde60e14b48f32c0f48994313e3112

SHA512
6e186e66a8ec461ccda778b6c029443f6f7126473d65c919512c9035974b27e6f6c19fb375fd392463095e563e115a5e94666f127102855f4a2ef0e41ecc3667

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f400aa23d72441dc71e0457ac59456dd

SHA1
9367ec8a52b3d1d522bda21da24df47733cd776a

SHA256
e42188402e50454984f068719b3d1d53b0362a7dd3c7c83fa04cbc533f30f554

SHA512
2dd41a8331cd363f524c245a158e8c17841fcffedd1b20759035b0e2da860fc35df76444b8aa49c27302095edf1899e8d77472207c3a04a9e36d9704b3c67c43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
943f53754917544fbc5a1f456c456dd1

SHA1
88d0c2703154708a308789a88bbdb3d19328f96b

SHA256
01a95cbcd99a4e267bab01c1edb431377239b1272f891be19ef867b13474f579

SHA512
9f9b4fa82c5f32814306e498bea0554dccb5c29f0c316b9c70aab41d5c1888baeed59956ffa52e315af06ad2e16b419c7025df8d293e9eb5fd0b72dbd6f3603f

Download Submit
memory/756-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3520-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3520-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3980-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3980-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4768-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4768-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download