ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe
Size

1.1MB
MD5

98f4aab5aed78b38a2d4b87e220490e3
SHA1

b447ea25d1c9afff889aaa21dc92ba40073d75db
SHA256

ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa
SHA512

f360b6c3c13fa1ce15108ea6db78b03eb58002bec7e3ea3c04f2e59f336d3ecde237ade33d115977c7c8ae55ef2abc5e919d55793bad480bfcd532fb86e8e6e5
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qk:acallSllG4ZM7QzMD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2512	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2512	svchcst.exe
2532	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2684	WScript.exe
2220	WScript.exe
2684	WScript.exe
2220	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe
2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe
2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe
2512	svchcst.exe
2512	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2684	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	30
PID 2192 wrote to memory of 2684	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	30
PID 2192 wrote to memory of 2684	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	30
PID 2192 wrote to memory of 2684	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	30
PID 2192 wrote to memory of 2220	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	31
PID 2192 wrote to memory of 2220	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	31
PID 2192 wrote to memory of 2220	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	31
PID 2192 wrote to memory of 2220	2192	ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe	31
PID 2684 wrote to memory of 2512	2684	WScript.exe	33
PID 2684 wrote to memory of 2512	2684	WScript.exe	33
PID 2684 wrote to memory of 2512	2684	WScript.exe	33
PID 2684 wrote to memory of 2512	2684	WScript.exe	33
PID 2220 wrote to memory of 2532	2220	WScript.exe	34
PID 2220 wrote to memory of 2532	2220	WScript.exe	34
PID 2220 wrote to memory of 2532	2220	WScript.exe	34
PID 2220 wrote to memory of 2532	2220	WScript.exe	34

C:\Users\Admin\AppData\Local\Temp\ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe
"C:\Users\Admin\AppData\Local\Temp\ec41c67ed5bbf704402eee8855e82407d60c415c908eb9f181a9a16a996673fa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
db539aa9eb75379f355199bc060ede45

SHA1
dc8f1b24fe3f2069cd58279477e0222785200b34

SHA256
08be58440fb55fc83088a6400aaaafa7535d9f603199e2694f067a236cc13108

SHA512
d1ce6d575db2526aaa14b39a62bde1cb1b40fd2474960b357c5466a11b344258f5c17aa9940e4549d062ea64124b50aeefa159bdb0ac1d3a0b4e487cdb35a241

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a96326b6377fa2bd4bae75b55e54cf7c

SHA1
00508f7a5dcd81c46bc0cc71a42df6bd17222ed1

SHA256
7f9d7d365d140cf36f1b61d99bd45a2a0f691c9ebbe6f07a58b61bdb6d9b371b

SHA512
8566664cb6915a3b6e5118fb82b99949e23c711ba28f327943227a7558c4088dd39b1f99235aae3e4e597c71d8d2a4121913ae0bdc8e10e1d90dc3bd73157cd3

Download Submit
memory/2192-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2512-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-20-0x0000000005220000-0x000000000537F000-memory.dmp

Filesize
1.4MB

Download