Analysis
-
max time kernel
52s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe
Resource
win10v2004-20240508-en
General
-
Target
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe
-
Size
1.1MB
-
MD5
c136d52566d04a9c10626bff3fcb2886
-
SHA1
44f394c5d9ab3d50b7dc0de6987e84c2ad0db4f5
-
SHA256
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c
-
SHA512
5ee80cdbdb8f63c81722f96a5815f05c8d4b23c6e7c48f72673d64cf1a4db56958e7d40a17b862316d24b548068db04a52cc5d67e01d101a04f8921c57d2a7d7
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qr:acallSllG4ZM7QzMM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exesvchcst.exeWScript.exeWScript.exedc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe -
Deletes itself 1 IoCs
Processes:
svchcst.exepid process 3256 svchcst.exe -
Executes dropped EXE 3 IoCs
Processes:
svchcst.exesvchcst.exesvchcst.exepid process 3256 svchcst.exe 4180 svchcst.exe 3124 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exeWScript.exesvchcst.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings svchcst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exesvchcst.exepid process 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe 3256 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exepid process 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exesvchcst.exesvchcst.exesvchcst.exepid process 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe 3256 svchcst.exe 3256 svchcst.exe 4180 svchcst.exe 4180 svchcst.exe 3124 svchcst.exe 3124 svchcst.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exeWScript.exesvchcst.exeWScript.exeWScript.exedescription pid process target process PID 4716 wrote to memory of 4956 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe WScript.exe PID 4716 wrote to memory of 4956 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe WScript.exe PID 4716 wrote to memory of 4956 4716 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe WScript.exe PID 4956 wrote to memory of 3256 4956 WScript.exe svchcst.exe PID 4956 wrote to memory of 3256 4956 WScript.exe svchcst.exe PID 4956 wrote to memory of 3256 4956 WScript.exe svchcst.exe PID 3256 wrote to memory of 4616 3256 svchcst.exe WScript.exe PID 3256 wrote to memory of 4616 3256 svchcst.exe WScript.exe PID 3256 wrote to memory of 4616 3256 svchcst.exe WScript.exe PID 3256 wrote to memory of 1064 3256 svchcst.exe WScript.exe PID 3256 wrote to memory of 1064 3256 svchcst.exe WScript.exe PID 3256 wrote to memory of 1064 3256 svchcst.exe WScript.exe PID 4616 wrote to memory of 4180 4616 WScript.exe svchcst.exe PID 4616 wrote to memory of 4180 4616 WScript.exe svchcst.exe PID 4616 wrote to memory of 4180 4616 WScript.exe svchcst.exe PID 1064 wrote to memory of 3124 1064 WScript.exe svchcst.exe PID 1064 wrote to memory of 3124 1064 WScript.exe svchcst.exe PID 1064 wrote to memory of 3124 1064 WScript.exe svchcst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe"C:\Users\Admin\AppData\Local\Temp\dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4180 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
696B
MD5c85adfb789ee03eba0d843b08042e4db
SHA1263793011d11bd0dd1daf4b55215a8802f9bf6e2
SHA2568cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59
SHA512b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539
-
Filesize
753B
MD56646c0f409e0bb505a6faa8bd94ff1ee
SHA1ef09fd147d06b8d26303584495967b40d403b349
SHA256512e5f94e790159720e97d5d09d85010a137551891d25bb81ee017417ea29833
SHA5120dbb6aa3021573c9bc9d922f8685929d7931de45321817ff43f83da01841bc9e55720bf3dd165ec3c5f3250b26cbda16c3338efa752f8e1daf6eef9cde729ffd
-
Filesize
1.1MB
MD50628af060a2eb8c9375cff8bced78559
SHA18986435140d564a27ab685a694048e4ca804e736
SHA256c2c6ed52c39d84ba26da98a2e45f299f5f91e103c462b82d177e7ff79071ac7a
SHA5120dd2721ccc54a3d73ad3a5d895274ae87b9b1d1a833061b7b6dc92f14ac1755db68796e90fd3f9a6b1440cfae729ea93e3d7ac62783297925215430c7abfada9
-
Filesize
1.1MB
MD5560dcd167648a2c6261e1161bf7589e6
SHA14e3c756b201a09bdbea257a02a1295c8a3b9237d
SHA25677a8eff43e3834b57c34b9f9f6a8561a679a2132387015a7974b0ebacbf3486f
SHA512bde87a3381cd1dd390adf86e9ea08e9d64111026da197893cd7e8d56ebd32cdacffe76a24d11f43ea80eecaad00aefca838d2f8c58a19c901ad1f524ed7bf66f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e