9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078

Analysis

max time kernel
78s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
Size

1.1MB
MD5

c199b0b14820088cfa8504558cd976af
SHA1

f3330a553fd08ef040c026b3d31f8461eb266c21
SHA256

9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078
SHA512

8419962434748fd30f4ba0b068502b8df49041b999339cf7abb1ec1947dbcbd399d755c746e20364de72bb9da9dd6f99c6dd65e80fe9597bcb21b0947a925f86
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qc:CcaClSFlG4ZM7QzMb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
3352	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3352	svchcst.exe
1348	svchcst.exe
4956	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
3352	svchcst.exe
3352	svchcst.exe
1348	svchcst.exe
4956	svchcst.exe
4956	svchcst.exe
1348	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 3164	3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	87
PID 3684 wrote to memory of 3164	3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	87
PID 3684 wrote to memory of 3164	3684	9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe	87
PID 3164 wrote to memory of 3352	3164	WScript.exe	97
PID 3164 wrote to memory of 3352	3164	WScript.exe	97
PID 3164 wrote to memory of 3352	3164	WScript.exe	97
PID 3352 wrote to memory of 3484	3352	svchcst.exe	98
PID 3352 wrote to memory of 3484	3352	svchcst.exe	98
PID 3352 wrote to memory of 3484	3352	svchcst.exe	98
PID 3352 wrote to memory of 4024	3352	svchcst.exe	99
PID 3352 wrote to memory of 4024	3352	svchcst.exe	99
PID 3352 wrote to memory of 4024	3352	svchcst.exe	99
PID 4024 wrote to memory of 1348	4024	WScript.exe	100
PID 4024 wrote to memory of 1348	4024	WScript.exe	100
PID 4024 wrote to memory of 1348	4024	WScript.exe	100
PID 3484 wrote to memory of 4956	3484	WScript.exe	101
PID 3484 wrote to memory of 4956	3484	WScript.exe	101
PID 3484 wrote to memory of 4956	3484	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe
"C:\Users\Admin\AppData\Local\Temp\9162051bb2181a4e6e2422b4725fc676a57c9720e85aae9940087898fa969078.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4956
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ea8f3fee5f866d58f03557028c4838f6

SHA1
6d26915dd4a4b127a7579196444cba4eb1910d30

SHA256
52a46a4e65eb681fff98ca6868f1e8456e5e87f409bcea7592c2d2f30dbfe41f

SHA512
c9e6e9f49fd075fd1524ea55a8f43ff7ac892e3c79e1b16c13e4e0af7bdf6091b744020b8fa50764e4a9471072559c26f011deec906ade647a7eaaea64746b35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1e99e2c9876f9b40c12f0f15d6bf5b34

SHA1
af0889c1aa8612c20c5673c26a48d74bb0c842ab

SHA256
691dc608f95a50dd06a077e40eaf68ec376c07bb6477a2a16cb8586d3727d063

SHA512
504df46ee43b807c0b129275fc7076b52760f8f120c18b34b8037df24540eaa568e239a88b5bc2c795ac9dff5c12119e3972f3f9163eea8fb6c9b3718d444707

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7e7aa64a146c41c6d95b2d9ace01fff0

SHA1
879b8c3367da65c23748ce90d7ac817364d4399f

SHA256
8be5c4312d3aa72ffd72bf8f9e5cb629fe2b16138ba67fd276db1e0407fa5d03

SHA512
8b0297a93e6fb98841814a4d97d1ca9d8f1f96707440976fab1ecc00c123a0a961d578da20e32470d323d5b1520c1163d43d786c7ccde8023c5e6d71cdb0de3c

Download Submit
memory/3684-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download