cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
Size

1.1MB
MD5

efe61464d183fd6502a4a3c52c26bc48
SHA1

68d9b9958126bffb9ec4bfff7f86fbace579d136
SHA256

cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528
SHA512

0a112921f7ea1908d71833a0ec11cb69afaaefd3db4c5f2583c48aff463063d39115d18b7572b01dc6de90a62bcb4b05824cbf2b6583ccdd4017bc1406c2196b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2816	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3620	svchcst.exe
2816	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2816	svchcst.exe
2816	svchcst.exe
3620	svchcst.exe
3620	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2384	2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	93
PID 2400 wrote to memory of 1452	2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	92
PID 2400 wrote to memory of 2384	2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	93
PID 2400 wrote to memory of 2384	2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	93
PID 2400 wrote to memory of 1452	2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	92
PID 2400 wrote to memory of 1452	2400	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	92
PID 2384 wrote to memory of 3620	2384	WScript.exe	96
PID 2384 wrote to memory of 3620	2384	WScript.exe	96
PID 2384 wrote to memory of 3620	2384	WScript.exe	96
PID 1452 wrote to memory of 2816	1452	WScript.exe	97
PID 1452 wrote to memory of 2816	1452	WScript.exe	97
PID 1452 wrote to memory of 2816	1452	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
"C:\Users\Admin\AppData\Local\Temp\cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3856,i,4226873509039249198,15952596839998010243,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
36bb644abd3ef8a15e09b2b8426e8cf3

SHA1
73fdb3c91dad781fe115c8b104827588e463663d

SHA256
b3a03c8f548d3d5307fbf01e280d4595e8f22728155af418732a29f9cb6ed59f

SHA512
a8e2499277db6a85673c3b6a53f883fa8406104e302969398845707e252a765cf74ffac4851eed6c7d9ecc359c4ee2dbe13d2e1a4f10b3b8078250dfb86f7227

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a0d1a593c3f090a02714370013c85ac0

SHA1
e198f7519950d8deb63b8e96e32087097fc9e7fe

SHA256
f9e7715079adabc5379f05f5ee0ecc54cf3849ce2b7ccba5632f7401aaca4e12

SHA512
08a413d78937487baad4a771120a0a03d01845fa4740c6954a90c6073858be1fea4e3418b1c4eb538d39e517a397f63f78861a38ee883a6f9327eea6b505fcda

Download Submit
memory/2400-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download