14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
Size

1.1MB
MD5

bcdc520d26dd15f178b19372f9d01427
SHA1

f2e2b05595b4c9b9adc2ac82e4a2ce4f8023dffc
SHA256

14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff
SHA512

606cbce3a6f2764f1bebe246d4715151f68deede066eed2e587cda20b28137d1553135bfa9a83b4df2ad18dbddcdf13ffddef77a782358a3c801b6589fced34a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3016	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3016	svchcst.exe
1900	svchcst.exe
4844	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
3016	svchcst.exe
3016	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
4844	svchcst.exe
4844	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 4120	1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe	81
PID 1392 wrote to memory of 4120	1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe	81
PID 1392 wrote to memory of 4120	1392	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe	81
PID 4120 wrote to memory of 3016	4120	WScript.exe	83
PID 4120 wrote to memory of 3016	4120	WScript.exe	83
PID 4120 wrote to memory of 3016	4120	WScript.exe	83
PID 3016 wrote to memory of 4568	3016	svchcst.exe	84
PID 3016 wrote to memory of 4568	3016	svchcst.exe	84
PID 3016 wrote to memory of 4568	3016	svchcst.exe	84
PID 3016 wrote to memory of 1644	3016	svchcst.exe	85
PID 3016 wrote to memory of 1644	3016	svchcst.exe	85
PID 3016 wrote to memory of 1644	3016	svchcst.exe	85
PID 1644 wrote to memory of 1900	1644	WScript.exe	86
PID 1644 wrote to memory of 1900	1644	WScript.exe	86
PID 1644 wrote to memory of 1900	1644	WScript.exe	86
PID 4568 wrote to memory of 4844	4568	WScript.exe	87
PID 4568 wrote to memory of 4844	4568	WScript.exe	87
PID 4568 wrote to memory of 4844	4568	WScript.exe	87

C:\Users\Admin\AppData\Local\Temp\14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
"C:\Users\Admin\AppData\Local\Temp\14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4844
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4f887c626248a30297714e3dd317379e

SHA1
8c72a37748e0d4dea14a822f081ea58fed61ffcb

SHA256
14a8d05d81d6bad74bb306587bc80f2255860a95c3440fb9d8db90b6eac0264b

SHA512
de550f89b5192a080010d6c7c5ac5d609d6221472ccc35520a0f0b3d7249fecb427a68ad230d0fb28ef968ab461b9f0fdd5e7e8a66449d023e65260f49f3c72b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b46b1afd74a13585e6626feb568bb4a2

SHA1
b780a56f274fadec3adde364b4d100264d06fb95

SHA256
54b0ca87e74e52f23dccea541a635a7abb5c3c0e20dfcefb6cca10f1f713dc5e

SHA512
28b57259cd8e9243382bd3ed2e53ece19c03de134bc3db43924886d581754fdad4770836c4739769951a07604b8e16773156b4947d3291447236579d7ec3ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
761d33fa7ec7a3988cdbb58063174d77

SHA1
64b82c14e2772af9c22b80c465ea1987516036ef

SHA256
305b1240b17446ba8e03c4cfe9c9fb7b19ee31a78ce2e5dd2c610d31e5ed3aa2

SHA512
f83adc76a6b1256f031bed73e7a6ce0a8e8065f9e07a0632989c5df0539374fbc6c857ffa17872a83891e1d15810d836415a9d7673551a794168a99c23b0bcf6

Download Submit
memory/1392-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download