4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 21:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
Size

1.1MB
MD5

21432c3fbcfb2f0c768d7b76fbccf493
SHA1

909112c1451c37749113e53e615870ed310e0116
SHA256

4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa
SHA512

88ee9de7e05be59739119e3b96b5d79f271ae61029eaf69355987d9653b27fddf375c14bd5653113940114a1a8ccea40dd00df0f4be9277d6907d81a6d4254a5
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q5:acallSllG4ZM7QzMa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1660	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
1660	svchcst.exe
5024	svchcst.exe
3736	svchcst.exe
2028	svchcst.exe
4604	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
1660	svchcst.exe
1660	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
3736	svchcst.exe
3736	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
4604	svchcst.exe
4604	svchcst.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4680	2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe	81
PID 2540 wrote to memory of 4680	2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe	81
PID 2540 wrote to memory of 4680	2540	4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe	81
PID 4680 wrote to memory of 1660	4680	WScript.exe	87
PID 4680 wrote to memory of 1660	4680	WScript.exe	87
PID 4680 wrote to memory of 1660	4680	WScript.exe	87
PID 1660 wrote to memory of 208	1660	svchcst.exe	90
PID 1660 wrote to memory of 208	1660	svchcst.exe	90
PID 1660 wrote to memory of 208	1660	svchcst.exe	90
PID 208 wrote to memory of 5024	208	WScript.exe	91
PID 208 wrote to memory of 5024	208	WScript.exe	91
PID 208 wrote to memory of 5024	208	WScript.exe	91
PID 5024 wrote to memory of 2924	5024	svchcst.exe	92
PID 5024 wrote to memory of 2924	5024	svchcst.exe	92
PID 5024 wrote to memory of 2924	5024	svchcst.exe	92
PID 5024 wrote to memory of 3540	5024	svchcst.exe	93
PID 5024 wrote to memory of 3540	5024	svchcst.exe	93
PID 5024 wrote to memory of 3540	5024	svchcst.exe	93
PID 3540 wrote to memory of 3736	3540	WScript.exe	94
PID 3540 wrote to memory of 3736	3540	WScript.exe	94
PID 3540 wrote to memory of 3736	3540	WScript.exe	94
PID 3736 wrote to memory of 820	3736	svchcst.exe	95
PID 3736 wrote to memory of 820	3736	svchcst.exe	95
PID 3736 wrote to memory of 820	3736	svchcst.exe	95
PID 3736 wrote to memory of 4768	3736	svchcst.exe	96
PID 3736 wrote to memory of 4768	3736	svchcst.exe	96
PID 3736 wrote to memory of 4768	3736	svchcst.exe	96
PID 4768 wrote to memory of 2028	4768	WScript.exe	98
PID 4768 wrote to memory of 2028	4768	WScript.exe	98
PID 4768 wrote to memory of 2028	4768	WScript.exe	98
PID 820 wrote to memory of 4604	820	WScript.exe	97
PID 820 wrote to memory of 4604	820	WScript.exe	97
PID 820 wrote to memory of 4604	820	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe
"C:\Users\Admin\AppData\Local\Temp\4efa9830ff0d6e6ca462e8e42424a49e86507437980132be7b49a3fb41179afa.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        
        PID:2924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2f90d53c00216243ee4bc5adc36fa8de

SHA1
9f975bebe645b3765d757781f47de8f52768e8ea

SHA256
0dfde1448088682b6f7c4a9f0c8078f63da8d8f478136d8ddfef434ef842a0b6

SHA512
1d7b6bff535ad9f70badfab32b46701067902fd7646abb5b01126cd7fea2e66420b05c52e7395d4fe2163f46e4b08acbcf562d7f1298fabd4517a3b31f26e1d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
edbb8b1e08b09f272b892d7609c97843

SHA1
ae0c43b283081c2f2f6dacb953deb327393fea13

SHA256
368aa7e686e822afc2cf80d58c9b78bcf5e2990f2465b1c65cf2baa451b54eb3

SHA512
2af09f75c6a55c2be9fd3eba4c15a68def9f31bd3e3fb4adf7abfaada4a65e5f3eb8ab7e63e2563efa1a4dc6b7cc88916e60f55c3e3eef0550484cdb0a7249bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f7f54f2326d0c761a1dc666b9a9a68b3

SHA1
fdff4fb1a5ed434e82c89776ca8dc0f939d3232c

SHA256
617439afc4c2c58f2753bcf05739b231b1f322147a778889bb69e0b3aba4a2f7

SHA512
0e8194c3ed61f2fc91001c888df2bcaf921f3e4336c176ca8175e0d6fdf81fe914b0c9a15072333d0cd8ec476a140ec4588ca3704c1535f71a25ae9556b1d916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e0afba2907719e556d07860d1eb7e34a

SHA1
77869115c0e9f7a902d4d3c9e7814ef8e05fa402

SHA256
7bb90456bc04bf58ea02bf2893168089966296d50260520e1d54fd2ef49ca9bf

SHA512
b9c36263a4f0951a3b29df5ab8c0ce731ffb9ec97dbf8c3c2fac56ce7e1270551c0edb07806bef01ea25c306c1392fc37c9313245e97d35d326dbfcce9708546

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6022a93d9ccb8618d6b6022218e30b82

SHA1
10dca3b6455201403ecdee0b829bddf8af85acd0

SHA256
cdba2f0e6cc7a5ebdfc7ef307022522372a426e209153858cf5995adf259b531

SHA512
e79dab3093ac6b656781e7bab320ba62683dd2cf1596387066d042d81282b3ffa26babb9fefc1d078c00cb22df40ba6e73bb4b4a6e4b47b15e59493898d33639

Download Submit
memory/1660-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3736-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4604-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4604-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5024-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5024-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download