10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
Size

1.1MB
MD5

98d4065988535322e2b887eef682fe45
SHA1

549897a954a0666e75716ca035278751ef3b1d73
SHA256

10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d
SHA512

3d78def4c0fd134a8d4dcdd09bd179350ae0d7c607e601a1ebd8d64ed0af38436f60b81874d3011cbb1eb30078eb5dc27830ae687de47baae892e77cc4b99b65
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
4960	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4960	svchcst.exe
5084	svchcst.exe
2308	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe
4960	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
4960	svchcst.exe
4960	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
5084	svchcst.exe
5084	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 2872	3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe	82
PID 3668 wrote to memory of 2872	3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe	82
PID 3668 wrote to memory of 2872	3668	10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe	82
PID 2872 wrote to memory of 4960	2872	WScript.exe	87
PID 2872 wrote to memory of 4960	2872	WScript.exe	87
PID 2872 wrote to memory of 4960	2872	WScript.exe	87
PID 4960 wrote to memory of 5076	4960	svchcst.exe	88
PID 4960 wrote to memory of 5076	4960	svchcst.exe	88
PID 4960 wrote to memory of 5076	4960	svchcst.exe	88
PID 4960 wrote to memory of 3240	4960	svchcst.exe	89
PID 4960 wrote to memory of 3240	4960	svchcst.exe	89
PID 4960 wrote to memory of 3240	4960	svchcst.exe	89
PID 5076 wrote to memory of 2308	5076	WScript.exe	90
PID 5076 wrote to memory of 2308	5076	WScript.exe	90
PID 5076 wrote to memory of 2308	5076	WScript.exe	90
PID 3240 wrote to memory of 5084	3240	WScript.exe	91
PID 3240 wrote to memory of 5084	3240	WScript.exe	91
PID 3240 wrote to memory of 5084	3240	WScript.exe	91

C:\Users\Admin\AppData\Local\Temp\10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe
"C:\Users\Admin\AppData\Local\Temp\10dd8d762646fecd93952c98a73008d289461f869cb192dbbd7174055e96085d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
00dfc9008adff3b157aabdc9907e0bee

SHA1
25e4a086cec8ffbab897cabb7ca241bfa0d76115

SHA256
1862589976f16dced719f20e432010220df60b9cabf41ed5f91966b7f07980c4

SHA512
846ed892794705b895d1889f93043010eef7b8ab9a8289e5a32991f1678d3de3e8820b3be3caffe0fb3d7ebbe2903b13a2ec04e050ba17d23f2a5550ab6c518c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a0170d3fa91bda68874227c3989f89a2

SHA1
255bb09119001b9d6c55ec6f777f97fcd0154993

SHA256
25ea22c0bb075519497d4b0d312f03bb092b3974f966d73fbbf93516dad81323

SHA512
3a2b23d736f74ccc80b66d5934badf122ef2d6fa67960c098a125a7e26e23aed525b3f2f2dd484afea7b5224b3d15898180b6c61581febc5c1638fffb9935291

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
23bf44e85871db5f6b947b7b3af8debb

SHA1
7619cea593620b609161156cdbce43807a81582c

SHA256
1f6f7c8a15974f43651c837cea849df27e6a4626f01261fd16d23e726fcc4831

SHA512
05f79c87bef29019d5408221d8fbd2ca0b8a18ed4795e0ec4fa2095d416e74fded4e18b9b7a61c36892a838079868c7fd9a26914fe716ac3de4f05d29e4f7976

Download Submit
memory/3668-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download