Overview

overview

7

Static

static

3

7f9c2e3d6a...cf.exe

windows7-x64

7

7f9c2e3d6a...cf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    79s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f9c2e3d6afbb444ec59f46a211e845ae2f2408e36b7eb22b67bd03126683ccf.exe

  • Size

    1.1MB

  • MD5

    b9b066dfccbed40eec3c847b21ec3608

  • SHA1

    b9aa6c81e0188f375c6fe69c88730ef44af8e065

  • SHA256

    7f9c2e3d6afbb444ec59f46a211e845ae2f2408e36b7eb22b67bd03126683ccf

  • SHA512

    10da824cc5e1089b99af9c1f7a07e83d1bff92bac9169f6116fbcb19da618141fe6d72e161fbd58989652953189d413fd559a73ce6bee4a683a0677870845723

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qj:CcaClSFlG4ZM7QzMk

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f9c2e3d6afbb444ec59f46a211e845ae2f2408e36b7eb22b67bd03126683ccf.exe
    "C:\Users\Admin\AppData\Local\Temp\7f9c2e3d6afbb444ec59f46a211e845ae2f2408e36b7eb22b67bd03126683ccf.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3908
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2868
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4124
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4852
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:844
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
            PID:2912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
      Filesize

      92B

      MD5

      67b9b3e2ded7086f393ebbc36c5e7bca

      SHA1

      e6299d0450b9a92a18cc23b5704a2b475652c790

      SHA256

      44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

      SHA512

      826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
      Filesize

      753B

      MD5

      bf7d4f335674c2c5374fb21a77bc67d7

      SHA1

      946534dce8af678f3b730413ad5223afb5c21a16

      SHA256

      1be8ac2ae1ce4e9c0bc34a78ae48ff462ea1defdd94ae92d19b4505861d86c89

      SHA512

      ef99fb88885d784b2a2310e11d38c4036e530ac932b30b165f0e6e45e7f04eccdeb9ef7838cb7868386906f28a85de84da31210617466b3c2401eea6f0921cc4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
      Filesize

      696B

      MD5

      f76c7cf504b872903a1325a57e8baaf9

      SHA1

      896ac9d8338b41c7673781f07915612c538c385f

      SHA256

      46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

      SHA512

      59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
      Filesize

      696B

      MD5

      ad7007ed9542468662553e405df66821

      SHA1

      757c5ee287a113d689f2d370176fcf9c9e1223a3

      SHA256

      12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

      SHA512

      812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      Filesize

      1.1MB

      MD5

      f2c141135928539ad1d5395b39eef068

      SHA1

      88b045e7a08acab5c5b81b13c38f5591641eab43

      SHA256

      48ce3d4118db62504d9ce1fe1b41f9d1de03015d4bcd960d70ad7a25ac2ce5a4

      SHA512

      1dab01a7444d3d479d296604efce99158438a55d02c61af767ad2c700f37417a22cdbec8c06dbdd62ff0b781f3876fa12bf0de8d73356aec5b7442d3cd08ebd0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      Filesize

      1.1MB

      MD5

      af3e40f73dd90af5dc1d52e5549d135c

      SHA1

      a2aba32812adf8c26c556580c9cb662ad98129f6

      SHA256

      a32f12d7d6501816b9f5757d0ce0773363935a19439da700491cad997aefadf4

      SHA512

      9f6dbed8074fab3d67f2a7b7f40aa8bd721ae2f829f06cca928e4e0b269c174dd30673aff76c0f43c0e6ab076ccb1e42950e617f4b55ed4311f0ce023043ec09

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      Filesize

      1.1MB

      MD5

      6ff553b23a413b9cf843d5a31e8a9a9d

      SHA1

      dcb84a2d6e70a450774f338e2be4ad5ce35ea6e6

      SHA256

      2bf3ba9f3c6f5288fff18074865a09d896d0b7a3cd475b51008086fd1f21e1fc

      SHA512

      b2a8e54c57f8abac262115686b79e3070d87e82c8bacafb851e7ba785b30cacee36c19113118068f0ddfb6a72f5fd0d9d99ac353569d9bb9a80e3a2607c1b57d

      Download Submit

    • memory/4864-8-0x0000000000400000-0x0000000000551000-memory.dmp

      Filesize

      1.3MB

      Download