c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697

General

Target

c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
Size

1.1MB
MD5

75cbf00b7c64a2a8240828c6696728dd
SHA1

88f1a5977e42da9824cc944b93b61a1b848932e0
SHA256

c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697
SHA512

f8e7d835c7ba430578f6483f1638fc5c049c014e5fed2e39170ff2735c9e9eff6c165f4378b11127f03099e29728fa7e04645d4366695a416613ca294c2b499f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzMo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exec8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exesvchcst.exesvchcst.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2944 svchcst.exe
Executes dropped EXE 4 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid process

2944 svchcst.exe
3512 svchcst.exe
1904 svchcst.exe
2008 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2944	svchcst.exe

pid	process
2944	svchcst.exe
3512	svchcst.exe
1904	svchcst.exe
2008	svchcst.exe

Modifies registry class 9 IoCs

Processes:

svchcst.exeWScript.exec8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exeWScript.exeWScript.exesvchcst.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exesvchcst.exe

pid	process
1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe

pid process

1240 c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
2944	svchcst.exe
2944	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
2008	svchcst.exe
1904	svchcst.exe
2008	svchcst.exe
1904	svchcst.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1240 wrote to memory of 2504	1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe	WScript.exe
PID 1240 wrote to memory of 2504	1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe	WScript.exe
PID 1240 wrote to memory of 2504	1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe	WScript.exe
PID 1240 wrote to memory of 4984	1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe	WScript.exe
PID 1240 wrote to memory of 4984	1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe	WScript.exe
PID 1240 wrote to memory of 4984	1240	c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe	WScript.exe
PID 4984 wrote to memory of 2944	4984	WScript.exe	svchcst.exe
PID 4984 wrote to memory of 2944	4984	WScript.exe	svchcst.exe
PID 4984 wrote to memory of 2944	4984	WScript.exe	svchcst.exe
PID 2944 wrote to memory of 2628	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 2628	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 2628	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 4404	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 4404	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 4404	2944	svchcst.exe	WScript.exe
PID 4404 wrote to memory of 3512	4404	WScript.exe	svchcst.exe
PID 4404 wrote to memory of 3512	4404	WScript.exe	svchcst.exe
PID 4404 wrote to memory of 3512	4404	WScript.exe	svchcst.exe
PID 3512 wrote to memory of 4008	3512	svchcst.exe	WScript.exe
PID 3512 wrote to memory of 4008	3512	svchcst.exe	WScript.exe
PID 3512 wrote to memory of 4008	3512	svchcst.exe	WScript.exe
PID 3512 wrote to memory of 4584	3512	svchcst.exe	WScript.exe
PID 3512 wrote to memory of 4584	3512	svchcst.exe	WScript.exe
PID 3512 wrote to memory of 4584	3512	svchcst.exe	WScript.exe
PID 4008 wrote to memory of 2008	4008	WScript.exe	svchcst.exe
PID 4008 wrote to memory of 2008	4008	WScript.exe	svchcst.exe
PID 4008 wrote to memory of 2008	4008	WScript.exe	svchcst.exe
PID 4584 wrote to memory of 1904	4584	WScript.exe	svchcst.exe
PID 4584 wrote to memory of 1904	4584	WScript.exe	svchcst.exe
PID 4584 wrote to memory of 1904	4584	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe
"C:\Users\Admin\AppData\Local\Temp\c8e81b11c928d45eee32588d87956f0fab633a88c39c8efdb3a451b6e4351697.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
PID:2504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
PID:2628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3140f68850d425901dc5baa275cdb185

SHA1
8dcf810fe6699b629e4f1a8c6ed12f51f969c179

SHA256
27e9eace4bfc861e62040065b94c1cbcfbf840ed92217703d00ac1951a08e034

SHA512
10d0ab0b8651df7827ab008d9020a7ef6770e03b0fff0549d250600a34a1143074d1839f6dd667c87deeea3efca5f0fac3834dc35225bc0f846c4abd41e0f4e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7b53983b129836c02db45afe1d9bc749

SHA1
14be63592963b5d28e01ff01c62a0eadfacda9ef

SHA256
b5b5c900bd127b6fc6c18944ef74b875532723d17d25faec6e2c7a9f79f09aaf

SHA512
b36fa9c0fc7aef71a32b8dd5b9bf57e9a2d15e676f09e78dd73cbd78ff8caedde014ecfcbc3d35660127995a0c5dbb2896c729c1a44f6ebfa135215d43fb7cd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
23116c5bd2613630197a8e2c8ae44c7c

SHA1
4a65725852a4e4fa18bbe29efc6f0b6dc117c655

SHA256
30660dd1ab1b6796e8a4b8f6edc76fcc9e973d9d20816275208e24156b3f965d

SHA512
29fc9c870eddb276b44232ca4846d4c4cf1821c68950461b928d3555b1cfbe8012a6e01020741f110b58a16b333002ff3ab6b35f18da5f4793fa824527428576

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5b56e0453365f01d06ff01aefc4f2438

SHA1
9ecddfa3707bf55e41405b369f43b82b0a687044

SHA256
5d6f57a5a47887ed0dc7b0fcd16eb23819824e641e9710d884e92cbbc618fac1

SHA512
0c20fe9982c7802abfbc5c87566196b33a6094ff0fd9da24f0f300cdd6af8024f296a67240182f3d98076438b82b352d8e527061ec73a71890f658b454cd5c74

Download Submit
memory/1240-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads