b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
Size

1.1MB
MD5

398769265b6300d82b6bf9920fc04531
SHA1

3f1e274298955e8b3c081065d4c0e6ac6c3cc9dd
SHA256

b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba
SHA512

fc03e4c26848961557e7e4a1fc06839c99db43152283e139b95602e7cce7f4cd58fc2036fc275d0549a39aea9f3d8aade0fe8d36baae31a7eefb0a0000a1e8db
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qn:CcaClSFlG4ZM7QzMA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1552	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1552	svchcst.exe
1676	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
1552	svchcst.exe
1676	svchcst.exe
1552	svchcst.exe
1676	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4192	3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	85
PID 3460 wrote to memory of 4192	3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	85
PID 3460 wrote to memory of 4192	3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	85
PID 3460 wrote to memory of 2360	3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	86
PID 3460 wrote to memory of 2360	3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	86
PID 3460 wrote to memory of 2360	3460	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	86
PID 2360 wrote to memory of 1552	2360	WScript.exe	88
PID 2360 wrote to memory of 1552	2360	WScript.exe	88
PID 2360 wrote to memory of 1552	2360	WScript.exe	88
PID 4192 wrote to memory of 1676	4192	WScript.exe	89
PID 4192 wrote to memory of 1676	4192	WScript.exe	89
PID 4192 wrote to memory of 1676	4192	WScript.exe	89

C:\Users\Admin\AppData\Local\Temp\b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
"C:\Users\Admin\AppData\Local\Temp\b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
80e7ecfb7fba2cd878a170fa86ec6d80

SHA1
27994bce59cce23bac9d99ccc5865ce23d18a577

SHA256
36ff12e8e010862d0bcbb4c0c6e9b207cd03b3a213d480b79326f1983a5c5352

SHA512
f74f9bc6f78f1dcc56e49acd1918ae753526df4b14cc8aacf279a4156d366ad581be9e9c7c112874020a74429022e7e0615ed8f51ac4d94cff28f4b60e0456ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
31782993b62d9ffdb13bce0bda67bd75

SHA1
001dc55a7e3cddccc81d18435abb7155d8394073

SHA256
68760dfbc252513a366524314fed0e0296305d1042c3cf5127f3674a6b3b524b

SHA512
816a068880f0842d8f34e82ce101315263a961be6a3dc8957d2a0175b80f1da264f6c598cd2b898fe3c1c83a0d26f5952fcecdc7709cc3e4c4951257b0bf4f6f

Download Submit
memory/3460-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download