fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991

Analysis

max time kernel
135s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 08:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
Size

1.1MB
MD5

dec129e65fbbd3ad3eb562beeb20e3bc
SHA1

040d757c70379d1612c769b02b9568bb51a40aa7
SHA256

fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991
SHA512

750515ca8e08490e0a154dd741c59e0749f23b553e344edbadcc4f50e39d47c90494d58829448bf77c95371c3fcd03b5a81f9c805204de148db32bc9b69f086a
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QC:acallSllG4ZM7QzMB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
5668	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
5668	svchcst.exe
4152	svchcst.exe
3852	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe
5668	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
5668	svchcst.exe
5668	svchcst.exe
4152	svchcst.exe
4152	svchcst.exe
3852	svchcst.exe
3852	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4472	2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe	82
PID 2780 wrote to memory of 4472	2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe	82
PID 2780 wrote to memory of 4472	2780	fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe	82
PID 4472 wrote to memory of 5668	4472	WScript.exe	92
PID 4472 wrote to memory of 5668	4472	WScript.exe	92
PID 4472 wrote to memory of 5668	4472	WScript.exe	92
PID 5668 wrote to memory of 3956	5668	svchcst.exe	93
PID 5668 wrote to memory of 3956	5668	svchcst.exe	93
PID 5668 wrote to memory of 3956	5668	svchcst.exe	93
PID 5668 wrote to memory of 5956	5668	svchcst.exe	94
PID 5668 wrote to memory of 5956	5668	svchcst.exe	94
PID 5668 wrote to memory of 5956	5668	svchcst.exe	94
PID 3956 wrote to memory of 4152	3956	WScript.exe	97
PID 3956 wrote to memory of 4152	3956	WScript.exe	97
PID 3956 wrote to memory of 4152	3956	WScript.exe	97
PID 5956 wrote to memory of 3852	5956	WScript.exe	98
PID 5956 wrote to memory of 3852	5956	WScript.exe	98
PID 5956 wrote to memory of 3852	5956	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe
"C:\Users\Admin\AppData\Local\Temp\fbd6c7582bb5504d775d95ea709489cbd6016a2fe5f3ffe4fbe7e81f854d4991.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5668
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4152
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5956
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8a470d2dd11d0a1b8e945ad91a5e90e6

SHA1
e96cf0aa1ed48374b4c5e7b14f7687b98b392df0

SHA256
674a31e26f6e812cb5134f2fc9dedc7da0f9c7d8aa58f4a00ba7e2fe5b578a0e

SHA512
c9044148e4aa16d449480bddcaf04487a0ea4d45f390bf9898c7d4d7b5e875a98dcd04c86bf58a0e654b9e832cc2db40531aea309c00059b8c91b61d58771329

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c52fdd4e4128ad336258956e3d25e84d

SHA1
4e95a93a46acf20474c241cdaf30613fb273191e

SHA256
cb631bc618cea4d60f5fec4689a5b4a2969a9422a59a5dc64d76409c5e9b0b75

SHA512
51ac008988e768db4a429645e6d9f3d9d2c8180d675101383baf0e69c263b13881b642fc446252834aaf400a3802850c089677ffe25fc5e0409ebc2008319289

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f960efd44594df212a96846e773ba505

SHA1
287d20cc1f4cacae346e4c0de4c47e0c3358d0e2

SHA256
453218e0c276ac473ae5459ed8426efb2e528747fa1becffad0e230b4f622c40

SHA512
5931806b0a55aadd18f047f84c8e270af27a1739783e6f5057bc6c5836378a387d69bd915d41dda14ec9062e6ee10802a32425714a9a361575501874c7558beb

Download Submit
memory/2780-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3852-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3852-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4152-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5668-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download