dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9

General

Target

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
Size

1.1MB
MD5

1887c162bc09af430797085df1c78f41
SHA1

76870ae475504b53e6bc01cfc7c9328abb1c11e5
SHA256

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9
SHA512

1612c92cde0a51a0c0c33e8b07d0539eca0a8e78618de5297c1aae9275aa74ce9961ea028f66dd51699030b891dd669739ab94bb43096a3c2d1867bf289a3336
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzM4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2220 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

4172 svchcst.exe
2220 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2220	svchcst.exe

pid	process
4172	svchcst.exe
2220	svchcst.exe

Modifies registry class 3 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exesvchcst.exe

pid	process
3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe

pid process

3596 dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exesvchcst.exesvchcst.exe

pid	process
3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
4172	svchcst.exe
4172	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exeWScript.exeWScript.exe

description	pid	process	target process
PID 3596 wrote to memory of 3300	3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3596 wrote to memory of 3300	3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3596 wrote to memory of 3300	3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3596 wrote to memory of 2544	3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3596 wrote to memory of 2544	3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3596 wrote to memory of 2544	3596	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3300 wrote to memory of 2220	3300	WScript.exe	svchcst.exe
PID 3300 wrote to memory of 2220	3300	WScript.exe	svchcst.exe
PID 3300 wrote to memory of 2220	3300	WScript.exe	svchcst.exe
PID 2544 wrote to memory of 4172	2544	WScript.exe	svchcst.exe
PID 2544 wrote to memory of 4172	2544	WScript.exe	svchcst.exe
PID 2544 wrote to memory of 4172	2544	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
"C:\Users\Admin\AppData\Local\Temp\dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b32cb2c5f6f04a445c96a7e394064c62

SHA1
e65c1faffa0e259777816a90475b06339060dc3a

SHA256
0b1288d08ab82e30b41cec6d55eaf8fb8f420e5d66a711bcc951630fe6e9a905

SHA512
92cfcc78c09f923f28dd485af6ac529b127d16a35a703f1348a5cb0e861d2da9da43563644ff85866edd9c83061585c36edcde459b08715c245b2e08c94b957c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b2fe553c019ebf483e3ed27f91a40649

SHA1
24dc73751d1130fc025e685b7487fed14d17f65c

SHA256
6cece364e4bbbe3acce0e23a02add8c6272b5ad03f4ffbf919d720b53846ce94

SHA512
68f7258aa8993ef7d95c81388dbb66c72e19f7af5b94c0841ac2fb69da13b11cd06dc802ed161f10fa17a4eb3b69cd2a76737d4946007b7468b13db536296518

Download Submit
memory/3596-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads