50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 22:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
Size

1.1MB
MD5

738d9e5631033af637e852858158f9d2
SHA1

9909851854f07f373021f94eeb5be7e9d71d4020
SHA256

50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81
SHA512

e93143f571f489d16589b30d1598e9c9bba3d6a4f38b4202153939208a15521c0678e47df44503461b7797eb9a0fbffce2c72587a7f6acdd1f8eb5153d58fc4e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzMr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
392	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
392	svchcst.exe
2584	svchcst.exe
3604	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe
392	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
392	svchcst.exe
392	svchcst.exe
2584	svchcst.exe
3604	svchcst.exe
2584	svchcst.exe
3604	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1644	4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	83
PID 4640 wrote to memory of 1644	4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	83
PID 4640 wrote to memory of 1644	4640	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	83
PID 1644 wrote to memory of 392	1644	WScript.exe	88
PID 1644 wrote to memory of 392	1644	WScript.exe	88
PID 1644 wrote to memory of 392	1644	WScript.exe	88
PID 392 wrote to memory of 4500	392	svchcst.exe	89
PID 392 wrote to memory of 4500	392	svchcst.exe	89
PID 392 wrote to memory of 4500	392	svchcst.exe	89
PID 392 wrote to memory of 4608	392	svchcst.exe	90
PID 392 wrote to memory of 4608	392	svchcst.exe	90
PID 392 wrote to memory of 4608	392	svchcst.exe	90
PID 4500 wrote to memory of 2584	4500	WScript.exe	91
PID 4500 wrote to memory of 2584	4500	WScript.exe	91
PID 4500 wrote to memory of 2584	4500	WScript.exe	91
PID 4608 wrote to memory of 3604	4608	WScript.exe	92
PID 4608 wrote to memory of 3604	4608	WScript.exe	92
PID 4608 wrote to memory of 3604	4608	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
"C:\Users\Admin\AppData\Local\Temp\50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ace9e745f19d234c914c7b36fb9c97b1

SHA1
061715dca0f4723f8a88a85d6016eb67afcc1269

SHA256
ab84523ae45bcb1bfd17c29cac2bca41dda62f7eb2627e55affd2ffa0d09c842

SHA512
dda3b5c3c3eaf22344ca9b37a4515464d08df3ff71cac79999b2e58763bfe87eb12059fae1fd5b49d751fac82cc1f3ad24ba77cf40c39065998e53bce28c3786

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fe194176d404fd4c54502485d03a3619

SHA1
2f7aa1ea1c669bd4844e5d6e6f6b241c1688ed4f

SHA256
fd8d1fc0cbf62ba0067dbd1072ae903fc6a93c38bf0a267d83a744c31dcafa6c

SHA512
7cc756010e45c400b23e2dbe966f3ced360bb6203380bf99c7f705095533a2af2f9825faf496c31d7f2b6569cbd9dd22128c136ec71bb2cbbbab7cd2d3567bae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bca60b02c40816506e1d9677f1d9ee19

SHA1
e04cbd84a91cb074b74efec38b502a9dcd613afb

SHA256
12794b4cdfd800b550ed2ab12a11a60ca0b0e7e30d772b5513f966267c3e6341

SHA512
9aeb591f815cee0466aaedaa256be0394e40e84f6c42c759ce4be7338a65fd84b5fc7757e8eafc955f11a685243c2f3ee2e1705561036c9590b88c564c12ed22

Download Submit
memory/392-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/392-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2584-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3604-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3604-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4640-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4640-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download