Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 21:05

General

  • Target

    4c183f2fe4ef03958439e77d904334f8f36c6023d14168253d118b660bff5835.exe

  • Size

    1.1MB

  • MD5

    cadc41d0ef018c9d085f98fa5395aa22

  • SHA1

    f9d4a2690d2a31a200136c80df9c93fd56a2fa5a

  • SHA256

    4c183f2fe4ef03958439e77d904334f8f36c6023d14168253d118b660bff5835

  • SHA512

    6622fceb2176a01b2b938d121a4ee875a9a6124ddf385738365d2ee1b08004637fde0e8a62ea46ec309b1767188d0ef9fd970e935e2f7e898f1f8500b3d5ed00

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qn:CcaClSFlG4ZM7QzMg

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c183f2fe4ef03958439e77d904334f8f36c6023d14168253d118b660bff5835.exe
    "C:\Users\Admin\AppData\Local\Temp\4c183f2fe4ef03958439e77d904334f8f36c6023d14168253d118b660bff5835.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1508
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    61d5ebf45e591ea0fee91ab7348f71cd

    SHA1

    47d6a40aa9b62287e6f4986bdf334f05d80f9390

    SHA256

    73dbdf718296837b0c62abb47b5949159333c18e5b0304eaaa5d21e64076bc2b

    SHA512

    e951ae4d59e2b435f2d702e2618e6e2fad6e916ee41c7e2de83323c1f5070a9ffa9640b3aeec1cf5ffa23c16f8e5858a7182db45002f74c238ffb43816b08ae4

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    819b5d25e2fa1e5c471b2526a39dc11f

    SHA1

    2da1437e643d27e3d4ddbb9645663803a6ddf2e2

    SHA256

    a6f786fda6028fdb8ad001b058c6127305aacfa9f1a9604dc7371e2a7d9f8e6f

    SHA512

    222287a6a23fd2be9952cd0ae36f56887be67814e173698a90bee51d16912a033c870cd5972722408c5bfd1c682ef4768d23c53eb613f38a71ba7eddd5da283f

  • memory/2884-10-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB