39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 12:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
Size

1.1MB
MD5

7e74422525e6beb14de691a3e9603ff4
SHA1

487ee8aaa10735a39c900d1cfdefd93762dbdd3e
SHA256

39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f
SHA512

cd146fd4d3c61b67212712c8c5e165179cfe18f80595d8072254a9f8a3735580cabb3ff0ab2b4bec81b73b80ecdda87a8919241976caf1c15ce40713fd9b3283
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QG:CcaClSFlG4ZM7QzMN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
2300	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2300	svchcst.exe
4924	svchcst.exe
404	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
2300	svchcst.exe
2300	svchcst.exe
4924	svchcst.exe
4924	svchcst.exe
404	svchcst.exe
404	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3440	3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe	83
PID 3508 wrote to memory of 3440	3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe	83
PID 3508 wrote to memory of 3440	3508	39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe	83
PID 3440 wrote to memory of 2300	3440	WScript.exe	89
PID 3440 wrote to memory of 2300	3440	WScript.exe	89
PID 3440 wrote to memory of 2300	3440	WScript.exe	89
PID 2300 wrote to memory of 3488	2300	svchcst.exe	90
PID 2300 wrote to memory of 3488	2300	svchcst.exe	90
PID 2300 wrote to memory of 3488	2300	svchcst.exe	90
PID 2300 wrote to memory of 512	2300	svchcst.exe	91
PID 2300 wrote to memory of 512	2300	svchcst.exe	91
PID 2300 wrote to memory of 512	2300	svchcst.exe	91
PID 512 wrote to memory of 4924	512	WScript.exe	94
PID 512 wrote to memory of 4924	512	WScript.exe	94
PID 512 wrote to memory of 4924	512	WScript.exe	94
PID 3488 wrote to memory of 404	3488	WScript.exe	95
PID 3488 wrote to memory of 404	3488	WScript.exe	95
PID 3488 wrote to memory of 404	3488	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe
"C:\Users\Admin\AppData\Local\Temp\39762562579e19a81f5aaa8c3c7fc046183f7c85db3a591934123d4c95c7f80f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:404
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
63cf2c2dafa858fe55440a8318b780bd

SHA1
a7f51791a6f5215ce47d04d12c7e497d732e9abf

SHA256
29ad472e0ad8722e5ef84ec169d76c49a5695216bb9a4eea0a8dca6c4d742e0c

SHA512
bd346b652f87d5a861a0d5956cfca0ac3cbbb06ad981b10931a4c79fbf3e71394797b0881243a15f0fa9c330f603cafe07406442d232cd69747d9d650f185a00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
428f7b7ce887237f20d24d4fcaf53fc6

SHA1
f1f50879f6862c565e493435f5f56c1734535ff8

SHA256
7f197294ff6c6a4e2287090a83520603564434da007183437f1ea5dd921fc3ac

SHA512
a44b6d81c1516f50194c1d929bdec8113f4158d1929682310df42a83799cd26e5a8016d60d33f8f0973d0c3c1beaee460a1579b2f6805c7fd5908d4ff982b432

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d2b892c760420f7e36a4d531fc8f39e8

SHA1
fd73b083a18fe1b3414bbb1a262bd791996d3261

SHA256
8d021423a64ce84003ef0e5d48279c3a8e4856ea971683bacb5ad09515a499f9

SHA512
beadec131649f9bcb33a4edd08b0ca77f97a4199db2ff4c892fe33fdf0d4b112d4a8a325902ed25e2042fea6af36a13512be06af45b0a038c0890fb01daa2583

Download Submit
memory/3508-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download