d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4

General

Target

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
Size

1.1MB
MD5

5a284fcaddb721dd81e668bab6b38398
SHA1

f39aa2694448d8cee4d9eb5e79140b93805606f0
SHA256

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4
SHA512

bb1d46a9a506cc4f02fa29f79fac20dd5f1c7cadc64521b73d08a6e9f97444a34abedd23dba7ebe1726fa25f8678bc5c0df72447e133c88f0f7a95689a6d4768
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qn:CcaClSFlG4ZM7QzMQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exed802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1452 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

1452 svchcst.exe
4000 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1452	svchcst.exe

pid	process
1452	svchcst.exe
4000	svchcst.exe

Modifies registry class 3 IoCs

Processes:

WScript.exeWScript.exed802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exesvchcst.exe

pid	process
3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe

pid process

3996 d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exesvchcst.exesvchcst.exe

pid	process
3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
4000	svchcst.exe
4000	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exeWScript.exeWScript.exe

description	pid	process	target process
PID 3996 wrote to memory of 4840	3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 3996 wrote to memory of 956	3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 3996 wrote to memory of 4840	3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 3996 wrote to memory of 4840	3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 3996 wrote to memory of 956	3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 3996 wrote to memory of 956	3996	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 4840 wrote to memory of 1452	4840	WScript.exe	svchcst.exe
PID 4840 wrote to memory of 1452	4840	WScript.exe	svchcst.exe
PID 4840 wrote to memory of 1452	4840	WScript.exe	svchcst.exe
PID 956 wrote to memory of 4000	956	WScript.exe	svchcst.exe
PID 956 wrote to memory of 4000	956	WScript.exe	svchcst.exe
PID 956 wrote to memory of 4000	956	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
"C:\Users\Admin\AppData\Local\Temp\d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
600800c6898cc9ee9442505537400f6e

SHA1
7e3e03594522e93d50cb07a3385f024de5c8b938

SHA256
06b8d172293bc9752f22987e0fe6f2c7aa80ee2b7757530e23cb0494c9fc4d5b

SHA512
f5076650428f2444bb9a299c47f04b6b0c042a63b588025dc91a252bd46621085442c817fb59854259d59bd6eed484752257b0d038f0a0895cb9db843c6f8c9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bdd6b7621d7301c1f31e850e101ceda0

SHA1
8f1c164df0d20c926a63ff59bdef2716c71704ea

SHA256
ee8021e7946fad9933f9c4c7754d68cc9e702c18d6b7386075e86884af3fbc0d

SHA512
506a0d00a72f86361760a6a8c4126bf2bdb90d6ea227293cd0bb062f488847aae1523eae0b8a2996eaff228d94cda335a63539c4bb84648f9f201ba8b059613d

Download Submit
memory/3996-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads