ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe
Size

1.1MB
MD5

f77e86be41366b2ea0b5acafd9e86719
SHA1

cf9ca11f07a1e3c18d2bb78a88c425fa1d006eac
SHA256

ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5
SHA512

75a051a7093f2c2e5046cb04beb6acd4e6b2bc1b4ae49c9395e34d266391d3422235d8a2f898d19528a1fb65f89090516d8a356c56300d4b378af82df05c2006
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qs:CcaClSFlG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe

Deletes itself 1 IoCs

pid	Process
4176	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4176	svchcst.exe
4404	svchcst.exe
5104	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe
4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe
4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe
4176	svchcst.exe
4176	svchcst.exe
4404	svchcst.exe
4404	svchcst.exe
5104	svchcst.exe
5104	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4088	4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe	80
PID 4764 wrote to memory of 4088	4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe	80
PID 4764 wrote to memory of 4088	4764	ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe	80
PID 4088 wrote to memory of 4176	4088	WScript.exe	82
PID 4088 wrote to memory of 4176	4088	WScript.exe	82
PID 4088 wrote to memory of 4176	4088	WScript.exe	82
PID 4176 wrote to memory of 1468	4176	svchcst.exe	83
PID 4176 wrote to memory of 1468	4176	svchcst.exe	83
PID 4176 wrote to memory of 1468	4176	svchcst.exe	83
PID 4176 wrote to memory of 1212	4176	svchcst.exe	84
PID 4176 wrote to memory of 1212	4176	svchcst.exe	84
PID 4176 wrote to memory of 1212	4176	svchcst.exe	84
PID 1468 wrote to memory of 4404	1468	WScript.exe	85
PID 1468 wrote to memory of 4404	1468	WScript.exe	85
PID 1468 wrote to memory of 4404	1468	WScript.exe	85
PID 1212 wrote to memory of 5104	1212	WScript.exe	86
PID 1212 wrote to memory of 5104	1212	WScript.exe	86
PID 1212 wrote to memory of 5104	1212	WScript.exe	86

C:\Users\Admin\AppData\Local\Temp\ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe
"C:\Users\Admin\AppData\Local\Temp\ae5d49698b44c159986c2475d64f52b3f9253a630748147a54113a458a1b82a5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
95c6244c81dacd9fcbea460a3d6c4d1e

SHA1
0c4c6e103c6bccb8561f5a5626ce145bc77b4e95

SHA256
78223c4730a0b435b34437eb0b18fec41ff5cf6f7746fd3e48d2b880d08bebb8

SHA512
d16edb22f8eaa835849c6ddf8acbf5fa7f55291728ea8d183299cb0252914f868c5f6c2b92d1ed8d65bd17a776eb5c200cd81833c4545afe3033bd1fa4aed1af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c05c8e0ed053d6bdb693f913d85f6fd

SHA1
3473ea4624032151a8e3790ff08b2c1eb30e4451

SHA256
8664405fb4cec58bc62d529c7d5f57cb1463ace9c826e854293e38094f5cfb19

SHA512
d579e683184554319895015eba7d1624ceab655707a793a01c7d1a3ce95fbbf43a832d3bdecbcf7685475a13e9321e155ebcffa4b6d45ffabe2f8ed316fc47f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
38680e7909ad30027b26034e40ef3067

SHA1
e2fede83aba43f5c404a10812c36110830de5905

SHA256
9a53f709244b98d9b9c2068997e1fd866a7a894a035fea827c654bd6174ef4c7

SHA512
fad69ba9598045222cb9186ca73a0e778b9103e79ef22f748c92983a5d64140cc9babeaef3d1cbbb09adaea1224abcb5b63b0c9702172d27122243f434150d09

Download Submit
memory/4764-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download