3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625

Analysis

max time kernel
136s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
Size

1.1MB
MD5

0c00d7f84c24174e8aba641c3c12d6e1
SHA1

ef4b05024a87e37613344a23798763a0c9283b03
SHA256

3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625
SHA512

73bd6014f86682502f4e22bc32c839d579c7057b18ccc19af03aad0f36605b11ce6e96e2fb90fcfed588e143f56a5b2f538ab07a96ad0ed70f09008696a33d5c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QJ:acallSllG4ZM7QzM6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2924	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2924	svchcst.exe
1316	svchcst.exe
2368	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
2924	svchcst.exe
2924	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
1316	svchcst.exe
1316	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 1744	4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe	89
PID 4520 wrote to memory of 1744	4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe	89
PID 4520 wrote to memory of 1744	4520	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe	89
PID 1744 wrote to memory of 2924	1744	WScript.exe	97
PID 1744 wrote to memory of 2924	1744	WScript.exe	97
PID 1744 wrote to memory of 2924	1744	WScript.exe	97
PID 2924 wrote to memory of 4392	2924	svchcst.exe	98
PID 2924 wrote to memory of 4392	2924	svchcst.exe	98
PID 2924 wrote to memory of 4392	2924	svchcst.exe	98
PID 2924 wrote to memory of 2068	2924	svchcst.exe	99
PID 2924 wrote to memory of 2068	2924	svchcst.exe	99
PID 2924 wrote to memory of 2068	2924	svchcst.exe	99
PID 4392 wrote to memory of 1316	4392	WScript.exe	103
PID 4392 wrote to memory of 1316	4392	WScript.exe	103
PID 4392 wrote to memory of 1316	4392	WScript.exe	103
PID 2068 wrote to memory of 2368	2068	WScript.exe	104
PID 2068 wrote to memory of 2368	2068	WScript.exe	104
PID 2068 wrote to memory of 2368	2068	WScript.exe	104

C:\Users\Admin\AppData\Local\Temp\3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
"C:\Users\Admin\AppData\Local\Temp\3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1012,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:8
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
d6f7cef7c71c8e5bdfecbc29433f2fac

SHA1
5b543b02d2713ecc26d3cf45683067bc120392c5

SHA256
831b8a416fd9839f7113af23156466737d6ecaa720b52936aec6f58d7bf21715

SHA512
e73b0f164cae9b77ff47f0bbc27c3a91d61919e378e6626da13c4fb71b9e4ac9de3c07619f877c2dfa567e7eaf2dea5120eb2d878f59835505f7a95654be96d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e50c4d9ac529ccb86cd6d30029e2dbe9

SHA1
d26bcae3c9ed18396bf168cb39e3679540108306

SHA256
734327b0f1622dbe3e3c1bcebd100ed0b0d05a6fc328a9749a6e9b1f49742922

SHA512
dd1a0fe87458bb8262072c3b439d4559c60d0628d81d2cacc4e2b424758ae5f3272d113911a825b8bf08ea4081eb04f949bac04ac096ff1b87b4ec0407f073c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5090d6375f1e2234d638debff022c87f

SHA1
bec95d73dc61a1c2f66c58983cf5d1935cbbbf08

SHA256
a1f66dad9feb3c3ae7b42397cb792a68c2c61bfd03b1363895934794afddd213

SHA512
7e0a150e7a4e9369d7fcc74d8fed6284a22e81d01d8b60fdea7c091658079f17974e19a711cf29bedb9682e573c0d8775c0e92f15f5add171fc7b8cbf1a0a9c7

Download Submit
memory/1316-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4520-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4520-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download