7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
Size

1.1MB
MD5

5570fb65520eddfa055e943a15d87ecb
SHA1

941e5fa94731c15061c94bb4358f4e1764ae78c2
SHA256

7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9
SHA512

2273807d64eda4487dfe34cad39ef1357f8463417e8ff20250235f028e118814c71bfc04f556a14c0c12726ddfdc32f35d1945d4ecccc2945ad1c97c761565c8
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q+:acallSllG4ZM7QzM1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2636	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2636	svchcst.exe
756	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
2636	svchcst.exe
2636	svchcst.exe
756	svchcst.exe
756	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2064	3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	81
PID 3660 wrote to memory of 2064	3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	81
PID 3660 wrote to memory of 2064	3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	81
PID 3660 wrote to memory of 904	3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	82
PID 3660 wrote to memory of 904	3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	82
PID 3660 wrote to memory of 904	3660	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	82
PID 2064 wrote to memory of 2636	2064	WScript.exe	84
PID 2064 wrote to memory of 2636	2064	WScript.exe	84
PID 2064 wrote to memory of 2636	2064	WScript.exe	84
PID 904 wrote to memory of 756	904	WScript.exe	85
PID 904 wrote to memory of 756	904	WScript.exe	85
PID 904 wrote to memory of 756	904	WScript.exe	85

C:\Users\Admin\AppData\Local\Temp\7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
"C:\Users\Admin\AppData\Local\Temp\7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5bcf7329e0241787a6c527ef454b54ad

SHA1
b9fbd8b3d139a1f74c1efbf54981a32504059d94

SHA256
2aa2edaeeb91516caf9f74f64e5e4abf30e384bdaa5e6b423c5d2578e0ad9d08

SHA512
eeb7c58c915b535b410cabe3915b4ea39631f4cf5907859f39ec9642ace6a0cd10e8e56e7076c4c471111d0314a3d325216a50f9f83ce5dcb41919af334cf531

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bfe03c5cff2cfa534ccc08db83b2cd58

SHA1
6b2e0b58cab4657d0900e4c6a7d933cd50540367

SHA256
705e336866bfe652561a8169badf345d957c8aad5ecfbf1068c4073ffb7a4dea

SHA512
deea75590cf0c8f50ea3b52ce13d1d930ea7880887414e84f133d9e7af1add8849fe9343f11c6ce31dda50b287bb004b50b737b562d3fa111483f8b7badf9778

Download Submit
memory/756-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/756-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3660-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3660-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download