Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:43
Static task
static1
Behavioral task
behavioral1
Sample
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
Resource
win10v2004-20240611-en
General
-
Target
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
-
Size
1.1MB
-
MD5
6d76dd1996b7c3c54a522968ea2ed08f
-
SHA1
3f716630ac0d1b107e5bbc4b7b12502cf04fd8a8
-
SHA256
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f
-
SHA512
96acca447a2e5997ece19e527584fb712a4182970071f8eb3eb6bc3b2fa6293d3303b352fa482630ba90aede9a28f51957120337285712b8b8b47cfe61638223
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qb:acallSllG4ZM7QzM8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exe691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exeWScript.exesvchcst.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
Processes:
svchcst.exepid process 4876 svchcst.exe -
Executes dropped EXE 3 IoCs
Processes:
svchcst.exesvchcst.exesvchcst.exepid process 4876 svchcst.exe 920 svchcst.exe 3268 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
svchcst.exeWScript.exeWScript.exe691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings svchcst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exesvchcst.exepid process 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe 4876 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exepid process 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exesvchcst.exesvchcst.exesvchcst.exepid process 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe 4876 svchcst.exe 4876 svchcst.exe 920 svchcst.exe 3268 svchcst.exe 3268 svchcst.exe 920 svchcst.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exeWScript.exesvchcst.exeWScript.exeWScript.exedescription pid process target process PID 4556 wrote to memory of 3912 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe WScript.exe PID 4556 wrote to memory of 3912 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe WScript.exe PID 4556 wrote to memory of 3912 4556 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe WScript.exe PID 3912 wrote to memory of 4876 3912 WScript.exe svchcst.exe PID 3912 wrote to memory of 4876 3912 WScript.exe svchcst.exe PID 3912 wrote to memory of 4876 3912 WScript.exe svchcst.exe PID 4876 wrote to memory of 3896 4876 svchcst.exe WScript.exe PID 4876 wrote to memory of 3896 4876 svchcst.exe WScript.exe PID 4876 wrote to memory of 3896 4876 svchcst.exe WScript.exe PID 4876 wrote to memory of 3736 4876 svchcst.exe WScript.exe PID 4876 wrote to memory of 3736 4876 svchcst.exe WScript.exe PID 4876 wrote to memory of 3736 4876 svchcst.exe WScript.exe PID 3736 wrote to memory of 920 3736 WScript.exe svchcst.exe PID 3736 wrote to memory of 920 3736 WScript.exe svchcst.exe PID 3736 wrote to memory of 920 3736 WScript.exe svchcst.exe PID 3896 wrote to memory of 3268 3896 WScript.exe svchcst.exe PID 3896 wrote to memory of 3268 3896 WScript.exe svchcst.exe PID 3896 wrote to memory of 3268 3896 WScript.exe svchcst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3268 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD5414415ac100a7075914510a5bf124a3c
SHA1353b3279f580a51d739553e56fc84e63defcf4c4
SHA2567db5de67a49f62351728b7419eb47c59b2971a209d8004df775f59a2064cbe23
SHA512ed1629de56a0d5e8c80172b26430fb7995c42af8368e896f69c475ccb5a74f59dfda3f94874b95547e21401db3ce88c39d87b25ec64d9cc5a1069ed5340daf3f
-
Filesize
696B
MD55465e98b54b47d65941e5d12deb27c9d
SHA150e5e6ced6e5e332b303de4fa146482fbdf782d5
SHA25638f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a
SHA51250c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a
-
Filesize
1.1MB
MD5469eea20a1bb6198a771a89a91dd034d
SHA116e2735ccfc23beeecf7881287597f6f439c4bdb
SHA25669758fa6f8292d9f8857d09c03da9061b07f71f70e7bcbd849db0b588d711c3a
SHA5120bd0d1d07f6420c14d65c6dbcdad8e8691018a327fdd52dbca1e8da8ccebe764185ecd1b6669879499a63d71e4c79f396f4818f0ffc688351c35884e111c1285
-
Filesize
1.1MB
MD5bcf5f9c96e205a858b8a59dd8dd74ed4
SHA140a4df367555487be883cb691c242912f6796883
SHA256295c5ecbf9f1bdfc0aa9bce17482766464d8d0956bae2319e28425f32a4a0494
SHA51294f842d35d28ba55c5451b74c3c09d152be88857bb08d27d42172f29591baa6c5b6cf1024a97dafa08d7f100e7c6618ae6c49161ff2dc33a94025c1ab5d473f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e