83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9

Analysis

max time kernel
62s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
Size

1.1MB
MD5

d253038d4f59d64de1eb0e2fe7f57e0a
SHA1

2dbbf7f4e88c221263600ae9483430b975c71e20
SHA256

83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9
SHA512

6cc5573ba84d219e1dc129aad483bd4430c0a4119fa83b0f952baa2da2bac7158882e7edf579ce957fb9c4fee83f1124ffc9488266d2de880c19864bb0047b40
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q7:acallSllG4ZM7QzMc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
676	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
676	svchcst.exe
376	svchcst.exe
4936	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe
676	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
676	svchcst.exe
676	svchcst.exe
376	svchcst.exe
376	svchcst.exe
4936	svchcst.exe
4936	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3044	1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe	83
PID 1168 wrote to memory of 3044	1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe	83
PID 1168 wrote to memory of 3044	1168	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe	83
PID 3044 wrote to memory of 676	3044	WScript.exe	88
PID 3044 wrote to memory of 676	3044	WScript.exe	88
PID 3044 wrote to memory of 676	3044	WScript.exe	88
PID 676 wrote to memory of 3720	676	svchcst.exe	89
PID 676 wrote to memory of 3720	676	svchcst.exe	89
PID 676 wrote to memory of 3720	676	svchcst.exe	89
PID 676 wrote to memory of 3920	676	svchcst.exe	90
PID 676 wrote to memory of 3920	676	svchcst.exe	90
PID 676 wrote to memory of 3920	676	svchcst.exe	90
PID 3720 wrote to memory of 376	3720	WScript.exe	91
PID 3720 wrote to memory of 376	3720	WScript.exe	91
PID 3720 wrote to memory of 376	3720	WScript.exe	91
PID 3920 wrote to memory of 4936	3920	WScript.exe	92
PID 3920 wrote to memory of 4936	3920	WScript.exe	92
PID 3920 wrote to memory of 4936	3920	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
"C:\Users\Admin\AppData\Local\Temp\83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:376
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5c624616a9a84ce287b1b79b88c540eb

SHA1
04087e75988e5954fd433cda5d5ae06ae6b54f53

SHA256
070d3a41dde614d68ab13935533886f408a4f8228362bfd5b00268fb80a3a8c5

SHA512
2191af88e6a36a880dc90932626cdeebe04d779f05b4e627e8d7bd85cb821906688242348b3bcce12653e571632bc1fb17127bd808323892a2c9e02f0e6fff82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e78a62198fbee7b8d0a75558f4784446

SHA1
ad45d4af10b0562147f93446410fad27ff3918e5

SHA256
a6018984da64c75b7366cadb5bfd10fb399e1576d0e233c51d9b01519cac924d

SHA512
32937f6017ee92fb049dfe0b76655f48e979798f28b5c55f49e3235bff8ffa9c24cc45547d44249f716ac3c0974f3a6d89e51323d9ee8dea80029b1456d44c7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d2d57cfa1f9553c2e772fa02b5b34ef9

SHA1
74e80a832bf76484282a0faa503ad597bd45ad21

SHA256
9c308c24c0f5e74cb52817833c880aa9e365e8d91767f2d77723932750e0b497

SHA512
2ece85dc915b471cc197336260b637b561bc8de28961f86e618af30582d1efb6a20393c7b5e318f023ab00a1705245997dafba475df234e60aeeba8286b4d0e6

Download Submit
memory/376-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/676-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/676-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1168-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1168-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4936-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download