c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c

Analysis

max time kernel
14s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe
Size

1.1MB
MD5

7892f83675238e76b945e0a112abab24
SHA1

10eeda2c9dba87199a1b0d1df81becb229bb5165
SHA256

c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c
SHA512

264095c2338e4eb9fbe2c6bd4bcdd7febde75d2c37ca4cbc7134cc83ec9d6b8a7a394cd9656505bfa0843d4659623296c74193fce8de0fcfcbaf7f67d7a6a511
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QJ:CcaClSFlG4ZM7QzM6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	svchcst.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	svchcst.exe

Loads dropped DLL 2 IoCs

pid	Process
2596	WScript.exe
2596	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe
1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe
2736	svchcst.exe
2736	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2596	1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe	28
PID 1676 wrote to memory of 2596	1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe	28
PID 1676 wrote to memory of 2596	1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe	28
PID 1676 wrote to memory of 2596	1676	c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe	28
PID 2596 wrote to memory of 2736	2596	WScript.exe	30
PID 2596 wrote to memory of 2736	2596	WScript.exe	30
PID 2596 wrote to memory of 2736	2596	WScript.exe	30
PID 2596 wrote to memory of 2736	2596	WScript.exe	30
PID 2736 wrote to memory of 2448	2736	svchcst.exe	31
PID 2736 wrote to memory of 2448	2736	svchcst.exe	31
PID 2736 wrote to memory of 2448	2736	svchcst.exe	31
PID 2736 wrote to memory of 2448	2736	svchcst.exe	31

C:\Users\Admin\AppData\Local\Temp\c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe
"C:\Users\Admin\AppData\Local\Temp\c78c17928a94298e4acd6b128ad61ed80b31105c79978d914c2a07f8899bb36c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2448
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:472
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ac5051c858d9bb211a920d1800408e71

SHA1
1a729fe2b959bd2c15656625652cb9c1e5eceecc

SHA256
c1f9659aec9735edbc75ef7a45e9f5582142a7f268c8994ca7a9009278b68bb6

SHA512
565c30b0dd375bf2db20adbe71191ecec7ecee943cb2b82202421e9798c4bb600c6fd29c7bb702edcdd4a3f0fb2151434b806d1da44dbe7178102b28571f56dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e4b6de2ce962a63462f1a83c7b7b481f

SHA1
8280e9bd33af5c65d5c235addfabdb49a3669234

SHA256
491ead220f8052d9e676f60f065b23f3b5a8f0a24d70a15494425383bf3a816e

SHA512
eab8c847382ed50cdd7597504d6c6f5e847d6abba798a32f184fe0e092353dbd481c81f81021a8e3a57d6ca3e2d4c5282cb2e4f1941cef15bda536a55db6ae6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
776e60c7d65f5a2d239ae99656780d1e

SHA1
5327069077c06932edcf3159991697117c32117c

SHA256
9102fdd2ce0c6576f0cdc76b3cd0b1ea210057aeaab5af9c9500d9e6de4735e1

SHA512
0db52ed509fae95165987b46a9f2a6a2fc624c9bc19123a038b196be6a4e4df338a22e300001483659493d4024d3b7401d036ef8a834a5460f8cb5e3e025cf9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ccf07f851f403ac43f3e9c7cda200855

SHA1
189fbffa3f47affad0dd3b4c13ff8051d84b90f9

SHA256
b5c4928c364456ffeb9cff1bce2316bac9f364e4ccf0856119aea986477fb80e

SHA512
35e9314755e94119501bb90155c79fa84d806b282345f80415d2b475ff6fa70f63edf790da670b07d559ded266188298b21cad49265e6958c3c546c2e2e6e81d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
de1906d3bec47e912431c8c6d169beaa

SHA1
962fa5cef9c906444c79fe06ba40405054342ede

SHA256
137fc06ea7713171deed45077479c786a6b4759ea02ca9930ffa7caef44d82e6

SHA512
5d825bc13f40182af1a2199712348f992c3e58ecb84c73d6e543892d5e48b2625353270e6de43c70e764049f3472ff2f50bef9c62a60345dc123955a9ebffc86

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c57c65159db44ce019b5b2f70e25d9d

SHA1
f9a8c62b1b7ac6a7fd2eebdb45110675b84b9a7d

SHA256
012a6b244aa7d8d2f3eae25eb284e774a036262ebee67da6db1546865aac4499

SHA512
3f3fa51730371b9d443c6bafa8d0331809b249269ea7f86089f370b4db3a857ee0aaa160e4aa965fc913bf6adc2a401c5c49f285d8b4e21d01b714a05fc2e346

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d30639e73d2d2128c23e9db990d1b4de

SHA1
e1c79822efdbfb88562b669d78706220b6c138bd

SHA256
7887eaff45cfb8ce8fd533de8347eaf1e095fcfc27e7f2c707e9189856190fdd

SHA512
eb02c71fb92634baf8137e96ca50d1301f3b0c627ae07ecf871f9a2d410475d609b0826a412617454d6129cf717fe0642cf8c2c4681a64ad94d82d6fc34555f3

Download Submit
memory/1676-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download