9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
Size

1.1MB
MD5

c199b0b14820088cfa8504558cd976af
SHA1

f3330a553fd08ef040c026b3d31f8461eb266c21
SHA256

9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078
SHA512

8419962434748fd30f4ba0b068502b8df49041b999339cf7abb1ec1947dbcbd399d755c746e20364de72bb9da9dd6f99c6dd65e80fe9597bcb21b0947a925f86
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qc:CcaClSFlG4ZM7QzMb

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
2540	svchcst.exe
2564	svchcst.exe
1932	svchcst.exe
2848	svchcst.exe

Loads dropped DLL 8 IoCs

pid	Process
2724	WScript.exe
2728	WScript.exe
2724	WScript.exe
2728	WScript.exe
568	WScript.exe
568	WScript.exe
2728	WScript.exe
2728	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2540	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
2564	svchcst.exe
2564	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2724	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	28
PID 2448 wrote to memory of 2724	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	28
PID 2448 wrote to memory of 2724	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	28
PID 2448 wrote to memory of 2724	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	28
PID 2448 wrote to memory of 2728	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	29
PID 2448 wrote to memory of 2728	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	29
PID 2448 wrote to memory of 2728	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	29
PID 2448 wrote to memory of 2728	2448	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	29
PID 2724 wrote to memory of 2540	2724	WScript.exe	31
PID 2724 wrote to memory of 2540	2724	WScript.exe	31
PID 2724 wrote to memory of 2540	2724	WScript.exe	31
PID 2724 wrote to memory of 2540	2724	WScript.exe	31
PID 2728 wrote to memory of 2564	2728	WScript.exe	32
PID 2728 wrote to memory of 2564	2728	WScript.exe	32
PID 2728 wrote to memory of 2564	2728	WScript.exe	32
PID 2728 wrote to memory of 2564	2728	WScript.exe	32
PID 2540 wrote to memory of 568	2540	svchcst.exe	33
PID 2540 wrote to memory of 568	2540	svchcst.exe	33
PID 2540 wrote to memory of 568	2540	svchcst.exe	33
PID 2540 wrote to memory of 568	2540	svchcst.exe	33
PID 568 wrote to memory of 1932	568	WScript.exe	34
PID 568 wrote to memory of 1932	568	WScript.exe	34
PID 568 wrote to memory of 1932	568	WScript.exe	34
PID 568 wrote to memory of 1932	568	WScript.exe	34
PID 2728 wrote to memory of 2848	2728	WScript.exe	35
PID 2728 wrote to memory of 2848	2728	WScript.exe	35
PID 2728 wrote to memory of 2848	2728	WScript.exe	35
PID 2728 wrote to memory of 2848	2728	WScript.exe	35

C:\Users\Admin\AppData\Local\Temp\9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
"C:\Users\Admin\AppData\Local\Temp\9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fed927edd9650a13aa4766a96362ee6c

SHA1
44d374491282f61ed9dbc97942e672630300fc8e

SHA256
dd010778ce69d5d858f467e0f22b15daa4b28fb5dc59c385dcb2c338420aa9e7

SHA512
76a24112bb7ae44372d7e0f7ff86f75282daae8d67adb864d3fef235c0621babe7c9dd305577fe5c745f52d2fec0221dcbd94df27105d839fff9ffa8372cbf67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e6f49583603b4d210ba14b54c8d01664

SHA1
22ac5e4ad8558c178a0b3346a10a258c688aaaa2

SHA256
e7d869fb04357e03c8079832dde564d288afe0b21546366276bb4ddf9a1ab722

SHA512
0b139f05256bc5f4439f56ae1cc014dac20090a929a726139b587e552416247a98fd2803046983af89210a86e57bbafcac554e3da91416679dc6bfe0277d8c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ec891f6a37003b9cfe5b27e1a4b71f90

SHA1
521b42b53ebdfed377bfcbdecb061653592399b4

SHA256
900e65e4353e1f3552ad15a67bf01a4fdde3280eeba3b90c69321cc4a9faf497

SHA512
3e192f0f5347c03acc613aaafae28f8817fc2a03ae32b3c1b1ceac17c08d18225f12583cb2985f8327c94548b33870e133ced0925c101feea3b77c38916cd510

Download Submit
memory/2448-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download