2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
Size

1.1MB
MD5

a1fac83237026fc981996f97b9fb6512
SHA1

7f2d3e2ad72a4e950010d510eebb1454f62035fd
SHA256

2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b
SHA512

8a0f041c6d3d1a554b391909464c4411f7ac0ad359a86d2ac2394db45cfcf97d9cfbb90060cd691a4609b31117fe23ae26b1ba913c2b76d3e2832b7f0ed8f7f7
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2164	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2164	svchcst.exe
3836	svchcst.exe
3276	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
2164	svchcst.exe
2164	svchcst.exe
3836	svchcst.exe
3836	svchcst.exe
3276	svchcst.exe
3276	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 400	1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe	82
PID 1764 wrote to memory of 400	1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe	82
PID 1764 wrote to memory of 400	1764	2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe	82
PID 400 wrote to memory of 2164	400	WScript.exe	87
PID 400 wrote to memory of 2164	400	WScript.exe	87
PID 400 wrote to memory of 2164	400	WScript.exe	87
PID 2164 wrote to memory of 4996	2164	svchcst.exe	88
PID 2164 wrote to memory of 4996	2164	svchcst.exe	88
PID 2164 wrote to memory of 4996	2164	svchcst.exe	88
PID 2164 wrote to memory of 1388	2164	svchcst.exe	89
PID 2164 wrote to memory of 1388	2164	svchcst.exe	89
PID 2164 wrote to memory of 1388	2164	svchcst.exe	89
PID 4996 wrote to memory of 3836	4996	WScript.exe	90
PID 4996 wrote to memory of 3836	4996	WScript.exe	90
PID 4996 wrote to memory of 3836	4996	WScript.exe	90
PID 1388 wrote to memory of 3276	1388	WScript.exe	91
PID 1388 wrote to memory of 3276	1388	WScript.exe	91
PID 1388 wrote to memory of 3276	1388	WScript.exe	91

C:\Users\Admin\AppData\Local\Temp\2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe
"C:\Users\Admin\AppData\Local\Temp\2e36e98aa13f358bd07f144c1bb944a5b6c964ba84f19a8df11ac4cc9d31662b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3836
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
43e8aaccfd00d31345a6574616228c39

SHA1
6b45bbfb93a1f522b1b2218bd2c7846b790a34d4

SHA256
b173dde5ba455041e4fea63a43b4f8a8ac6b99ec4f8465492a15d4017c57811b

SHA512
45b3222c069eaf7e15ad2376ecfde22b933e8b9a2fb92aede741012cc576a41bfb599cd8b8c08219c257ff2a14cb89cce62ee7910439663055856b921d0d7b75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
22c19f1f8e6198252c3e913009c96be8

SHA1
9c94597557559c400c222c34157dabf8b4fbd87d

SHA256
aafc942f1aa3006b84b997877d3a6024ada7bc02c36500226d2ce6f095aea441

SHA512
c90af0b0e32ba8d204f3f5f035ff43094a504f97e7100e21da3143c6216b7284f5b621535a028373f7234c1ac9c30b42c9e5bdba4012cc49c88c741ddae6fb18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8412aa5c354147ae234e5150440ac561

SHA1
32dd2c80debddf58279b4d3459ca0a01b61a81c2

SHA256
414e113b1f31ab2bad7be6f1857246b81f348624d53293f5fd727880982e3127

SHA512
2fcd11e82c8b68be6026f80c852dbeb77d0a5f6a915299de27a02fd1200cbe1fb20d964d8bf285b6608198148989f30e97ac1c755563a6ee3b4ead1ad64d43f4

Download Submit
memory/1764-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3276-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3276-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3836-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3836-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download