84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
Size

1.1MB
MD5

da9f835bbd60c6775f7865a66f749299
SHA1

87f2cc25840d557d4a034f3a299db2ff85b2df59
SHA256

84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee
SHA512

7a09bb14939b4a495beb39c866d9e5a01af35350fd888a59b79e8ca3de044b381dce0c1f7d670bbeedeb02f7b622b8c9291922004a7c30ababb9e50b2795dc40
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3764	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
972	svchcst.exe
3764	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
3764	svchcst.exe
3764	svchcst.exe
972	svchcst.exe
972	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 5008	2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe	85
PID 2088 wrote to memory of 5008	2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe	85
PID 2088 wrote to memory of 5008	2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe	85
PID 2088 wrote to memory of 2824	2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe	84
PID 2088 wrote to memory of 2824	2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe	84
PID 2088 wrote to memory of 2824	2088	84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe	84
PID 5008 wrote to memory of 972	5008	WScript.exe	87
PID 5008 wrote to memory of 972	5008	WScript.exe	87
PID 5008 wrote to memory of 972	5008	WScript.exe	87
PID 2824 wrote to memory of 3764	2824	WScript.exe	88
PID 2824 wrote to memory of 3764	2824	WScript.exe	88
PID 2824 wrote to memory of 3764	2824	WScript.exe	88

C:\Users\Admin\AppData\Local\Temp\84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe
"C:\Users\Admin\AppData\Local\Temp\84868dbc88cc20a7baff12da48aa554a30fb98c9df7117fadec4fa6131727aee.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
af76b6295790c0a50bc26cf8f0a0cb09

SHA1
31e734aaff55fa3a55ec1b6bfc8b3bf9814db844

SHA256
cea1157513184bb5aeba71439d51f85884b131b3183f66c4de59a115fd4e6ba0

SHA512
54d5292861589a866a6aaa4c6ec8573b1ab52fd29dcc68c13fa1d47f1b704c9a441a65817cb88883f4129d96f8152f2ce605d07af49a5eef832a253dcb57bff8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2767486d549579723bc2048fc79c6d8d

SHA1
1be1dc3a2a5ea1aed613fb07f75678ba1e6f7425

SHA256
d96fcdb458b8f8d2730629ac467f56b048c7cc056ca92bff42f421c5e666ab49

SHA512
a4a872eb107ab401f50adfb9517f86a481a217e0d7ff0ada189752bf02bc58bb6967dbf993bcbe5f61bc7c2afeeee379dbdc38811942c2a1e42c0469fcff0adc

Download Submit
memory/2088-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download