782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d

Analysis

max time kernel
93s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
Size

1.1MB
MD5

887f4714f65f3c4ca5d84fda752feb45
SHA1

998406c28f4988628c2bd3f6ee2eb20dfc506518
SHA256

782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d
SHA512

b505059b898d5d14dcc4b123dbfc97c47d121af3d53965e09ce41d478192f9756cc4ed3d23144266a6a9cef70ec6da4d82169b8df5144c0d31ae8654ab2de050
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q+:CcaClSFlG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe

Deletes itself 1 IoCs

pid	Process
3984	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
3984	svchcst.exe
1960	svchcst.exe
1324	svchcst.exe
2704	svchcst.exe
1564	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe
3984	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
3984	svchcst.exe
3984	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1324	svchcst.exe
1324	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1280	1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe	81
PID 1792 wrote to memory of 1280	1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe	81
PID 1792 wrote to memory of 1280	1792	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe	81
PID 1280 wrote to memory of 3984	1280	WScript.exe	87
PID 1280 wrote to memory of 3984	1280	WScript.exe	87
PID 1280 wrote to memory of 3984	1280	WScript.exe	87
PID 3984 wrote to memory of 4992	3984	svchcst.exe	88
PID 3984 wrote to memory of 4992	3984	svchcst.exe	88
PID 3984 wrote to memory of 4992	3984	svchcst.exe	88
PID 3984 wrote to memory of 4040	3984	svchcst.exe	89
PID 3984 wrote to memory of 4040	3984	svchcst.exe	89
PID 3984 wrote to memory of 4040	3984	svchcst.exe	89
PID 4992 wrote to memory of 1960	4992	WScript.exe	92
PID 4992 wrote to memory of 1960	4992	WScript.exe	92
PID 4992 wrote to memory of 1960	4992	WScript.exe	92
PID 1960 wrote to memory of 1696	1960	svchcst.exe	93
PID 1960 wrote to memory of 1696	1960	svchcst.exe	93
PID 1960 wrote to memory of 1696	1960	svchcst.exe	93
PID 1696 wrote to memory of 1324	1696	WScript.exe	94
PID 1696 wrote to memory of 1324	1696	WScript.exe	94
PID 1696 wrote to memory of 1324	1696	WScript.exe	94
PID 1324 wrote to memory of 2696	1324	svchcst.exe	95
PID 1324 wrote to memory of 2696	1324	svchcst.exe	95
PID 1324 wrote to memory of 2696	1324	svchcst.exe	95
PID 1324 wrote to memory of 536	1324	svchcst.exe	96
PID 1324 wrote to memory of 536	1324	svchcst.exe	96
PID 1324 wrote to memory of 536	1324	svchcst.exe	96
PID 2696 wrote to memory of 2704	2696	WScript.exe	98
PID 2696 wrote to memory of 2704	2696	WScript.exe	98
PID 2696 wrote to memory of 2704	2696	WScript.exe	98
PID 536 wrote to memory of 1564	536	WScript.exe	97
PID 536 wrote to memory of 1564	536	WScript.exe	97
PID 536 wrote to memory of 1564	536	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
"C:\Users\Admin\AppData\Local\Temp\782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
d40b6c5d4002a5028871e6867311ab1e

SHA1
52e7ed2c972a0783a312b583af1fd32090efd5c5

SHA256
5ada33252e0d2fbb5d4eb151c3ecbdb6998c61427ce4fff28bc400cb3a6e612a

SHA512
8b949ae74f4713a118f2b8b8d00270cd434ab12dc4a1f8a4dda5b71176878f228ba874749a015462f2a86150eb5e729cef17c5163e6ac0fb3e2ba0fa22c47af2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
300f4487421d4e88b1181c1fe0e6fe95

SHA1
fe354e754c437efb76be88c1c1ab09a71164a6d4

SHA256
84088dbc4e574995d9b5b8d77f43a642de14daec8227247503fbdcd6b1d541ed

SHA512
4b46be497cce4a2e06751b4233824d848d8e3f5ea7144f13c415d3f7f2c82813d9176aec6879b776afe0d62bae7f03a25bfabb6031a8e219e56be02813c99c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9fb2ff4831a7a16c96f1d073fc0f2f0f

SHA1
f45b8aa489434b0e3a9d92b510fe89b937a22f14

SHA256
565614b906182ab9d7f593c073e4cfbd7eff9aa44c459224810764d34592263e

SHA512
9cd627e425efe016e10bdb819f5d4fcfa482a344cad56d8881de90ed56b304a8869ce9947d6e632629a4153aba1cfa02480db80b78c4ee98b6188cfc0dd73f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8c27f7358f155013363133e9c0e6a052

SHA1
36cee94ee616f31c5823a4f80010b4dd64a727b7

SHA256
b9138bf256b303006ba1a227f91efdf9969381c64190f7401b6f6507fbd77dbd

SHA512
f2e5a195600720ebf92f852c6b2307179ed8320973d2790fa1108466268358c61e2b941e96cec55fdf28cd40ccdd65d492d17e5cb1cbd77943027aff48aff809

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
17dcc8248ddd2ac98c75efc3a44d1e94

SHA1
4646d0b10a53d43456c54517ca87207a6129520e

SHA256
cdffc31516abc1a9b538d2112737a3b19864d55738c17eafc6794534f7c55945

SHA512
26f2f790e471edf387a03edc6449875143e6fe92af50d42005a6b27f7f8c107047f0fd62e7a73290d4a4a65d94fddad2948778ca59fb059ffb3ae654ead26948

Download Submit
memory/1792-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download