6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768

Analysis

max time kernel
133s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
Size

1.1MB
MD5

7a19aff8d8b69b542188df05c772d57b
SHA1

2e5ae039a41f378a5097bbae59ea96b5be2455d6
SHA256

6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768
SHA512

b7e6fa29a3109140e663e7033f2ca03840b80dfff532cc82266df410c600120d61d833d87c63ce82957e7b8ed0b64aef9222d56341ef8940ef365a41518c2808
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
1628	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1628	svchcst.exe
1624	svchcst.exe
3368	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
1628	svchcst.exe
1628	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
3368	svchcst.exe
3368	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2392	2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe	82
PID 2652 wrote to memory of 2392	2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe	82
PID 2652 wrote to memory of 2392	2652	6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe	82
PID 2392 wrote to memory of 1628	2392	WScript.exe	90
PID 2392 wrote to memory of 1628	2392	WScript.exe	90
PID 2392 wrote to memory of 1628	2392	WScript.exe	90
PID 1628 wrote to memory of 3884	1628	svchcst.exe	92
PID 1628 wrote to memory of 3884	1628	svchcst.exe	92
PID 1628 wrote to memory of 3884	1628	svchcst.exe	92
PID 1628 wrote to memory of 4436	1628	svchcst.exe	93
PID 1628 wrote to memory of 4436	1628	svchcst.exe	93
PID 1628 wrote to memory of 4436	1628	svchcst.exe	93
PID 4436 wrote to memory of 1624	4436	WScript.exe	96
PID 4436 wrote to memory of 1624	4436	WScript.exe	96
PID 4436 wrote to memory of 1624	4436	WScript.exe	96
PID 3884 wrote to memory of 3368	3884	WScript.exe	97
PID 3884 wrote to memory of 3368	3884	WScript.exe	97
PID 3884 wrote to memory of 3368	3884	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe
"C:\Users\Admin\AppData\Local\Temp\6ec8acd5186c2be4227d4d2fd9021b30b5712fbf165ea3746f4943dfc9db7768.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3368
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e9f8cc8922b9ecbefe1d8e621597a32b

SHA1
390310e1d6d64e069bf061706e6b594be861aa69

SHA256
f378b371b0912f593b3cd15dd97d756d73a77bef02a982f2973e32259599e9cf

SHA512
e8ab949aecc499faa0725b5bfeff6a285e7ea12aa162a7c9f32b53a62fa0491019130243be81c2157347bf4ef261f9257982d5e84cfd232ec35054ad3b2691a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b30db1c5990bac248ef1ccf9326cae9d

SHA1
6cd9b4d18eae857f3396520544d223615a1536dd

SHA256
23935539d5b681a4e3b0908013751d0c1ff9ab2a9818386ac197918620653d74

SHA512
03061e91745f1f3549d5b8d52c232c55b94dde26463fdb5060af324f24792cbf69c25e51e6e8bf32caef4e8fd793e82db9f3acb67f86c6cbaaf77d941500d703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8f1db33309264999b39bd01679733259

SHA1
7430212ece143b7b1c36033ca50a725d53c9ea6f

SHA256
8970c437009242d75ce33586569c0f9a20c8118b313853d4fd76a63bd8fd66e5

SHA512
7058fe16d6ae1386990bb103c7a46829da718657fcf5b85819afdb618bb15bae08666b21b200a9bb0384509b8ebe516f3f233e26a9f79162782b0f686c8391ea

Download Submit
memory/2652-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download