64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
Size

1.1MB
MD5

a10f57a3203ef88b679a655a716bfae2
SHA1

3ae3d9fbdd8aa5dcce5c1ac3a58d820434797359
SHA256

64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1
SHA512

925bcb281c211ba221497ee0f3ec7c8239004283d0b8c710d8b9bb0de964f944190ad761a76e7fc1c6f1ea5e208ca242bc20002bce588733936b831c6ba05604
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzMp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3804	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3804	svchcst.exe
4864	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
3804	svchcst.exe
4864	svchcst.exe
4864	svchcst.exe
3804	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4788	4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	84
PID 4928 wrote to memory of 4552	4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	85
PID 4928 wrote to memory of 4788	4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	84
PID 4928 wrote to memory of 4788	4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	84
PID 4928 wrote to memory of 4552	4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	85
PID 4928 wrote to memory of 4552	4928	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	85
PID 4788 wrote to memory of 3804	4788	WScript.exe	87
PID 4788 wrote to memory of 3804	4788	WScript.exe	87
PID 4788 wrote to memory of 3804	4788	WScript.exe	87
PID 4552 wrote to memory of 4864	4552	WScript.exe	88
PID 4552 wrote to memory of 4864	4552	WScript.exe	88
PID 4552 wrote to memory of 4864	4552	WScript.exe	88

C:\Users\Admin\AppData\Local\Temp\64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
"C:\Users\Admin\AppData\Local\Temp\64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
dab32f2d1e9187653406e531ab5831f6

SHA1
443a4f1137148ab16cee05fe2cf8b47bee48d9a0

SHA256
98608b44591e2df48bb7ab70e818ad8680cbf70cad44dc224797007d8f96c39a

SHA512
ea0e531fecc482f4e3dcc24f32009c3b16f1994f34ae54e5364df79c2251ddc11d2e6f6714c87763027923e149b2c2fb8aab6c0732d56bda69bf2bc3e5b8f3e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3302931503c2b5e45ea82477f76c6c4b

SHA1
22816fdadd1974fb2ed5984294b40142a890afd0

SHA256
cfa7a08b4175e144abd5467e9a5a200928498f29370d3acccde5892f452837f7

SHA512
8c2ad9beefac0fb62819f3d335aee0bc8a760c5525bdfe9817b7e6149fa12536fa4d8510ca7dec6b986030433a5d77c094a579f4dc7d4d889a1f7a1e9d8ae7c6

Download Submit
memory/4928-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download