fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
Size

1.1MB
MD5

0fda9cbf208ec71190c3fae7867e5a07
SHA1

214f74c7b92dc5fb24830324069b9572484fc789
SHA256

fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084
SHA512

01d0fb6e41629d40fc113fa9ec1ccf84288685314059b5b183f2b7b9f0b5a673700e5e29d37cc7ab72af71e1ba04f54434b3917ca3be25e14b827fe7c4050216
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q1:CcaClSFlG4ZM7QzMe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
712	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
712	svchcst.exe
3932	svchcst.exe
3040	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe
712	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
712	svchcst.exe
712	svchcst.exe
3932	svchcst.exe
3932	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1744	4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe	81
PID 4604 wrote to memory of 1744	4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe	81
PID 4604 wrote to memory of 1744	4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe	81
PID 4604 wrote to memory of 2400	4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe	82
PID 4604 wrote to memory of 2400	4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe	82
PID 4604 wrote to memory of 2400	4604	fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe	82
PID 2400 wrote to memory of 712	2400	WScript.exe	84
PID 2400 wrote to memory of 712	2400	WScript.exe	84
PID 2400 wrote to memory of 712	2400	WScript.exe	84
PID 712 wrote to memory of 1460	712	svchcst.exe	85
PID 712 wrote to memory of 3456	712	svchcst.exe	86
PID 712 wrote to memory of 1460	712	svchcst.exe	85
PID 712 wrote to memory of 1460	712	svchcst.exe	85
PID 712 wrote to memory of 3456	712	svchcst.exe	86
PID 712 wrote to memory of 3456	712	svchcst.exe	86
PID 3456 wrote to memory of 3932	3456	WScript.exe	87
PID 3456 wrote to memory of 3932	3456	WScript.exe	87
PID 3456 wrote to memory of 3932	3456	WScript.exe	87
PID 1460 wrote to memory of 3040	1460	WScript.exe	88
PID 1460 wrote to memory of 3040	1460	WScript.exe	88
PID 1460 wrote to memory of 3040	1460	WScript.exe	88

C:\Users\Admin\AppData\Local\Temp\fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe
"C:\Users\Admin\AppData\Local\Temp\fda625c4e0aa3a2f5786f42ae5b9b64ef55939701308bfbccb2bfcfacf0bf084.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
55a022eb4c6b1b64aaab97019289b897

SHA1
14f81a9cf698b547a45fd93a5a6841e637180611

SHA256
c4116d9757dcf364594d47110fb544f41e0ee7a579587fd31681d758811d32e4

SHA512
ed41e157fde285882f78925b24f71fdade1bd037a494cc96f53d12cc6b06e90d1ebe1766a94efeba75fd3c8bce4bf82e5e259158e9da92931933fcf853fedc0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ef207aa4dbb5c906ff1595bc24517d7b

SHA1
b9104d14264930d6af7e007ab62a49e0ebe36ada

SHA256
7b54453b938923648cc9c05984d68d8eb68403321d4d7d912d9d6421927ae196

SHA512
38f271b6f7472154221d672736951208934c8f33c2f055f3485e403f312f7a4edfefd1af703cf03f7c6480334d82390b8559cbf3ccd87cc24c24165fe5e31a35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a31be217b2e829b7c6d38ee0f219cdf5

SHA1
bff97f6400e750a6f0328fa46bafbed5f3cf19e3

SHA256
1acd2bfa9c4a45a93861acde4b30672b654fd219c5e44bfb97ba2c35ab3f3990

SHA512
d2e4c62a2e1e6b3b52510448c8ed77c2a808fdef239e9aaa0ba3f42c647134c33ffb4376df8a67ca49d64427a464dedea50a63592f2c61bb599f3c7fe8ec7ab0

Download Submit
memory/4604-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download