8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607

General

Target

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
Size

1.1MB
MD5

606e0fc9ec327ff94d0c0eeca1dc9024
SHA1

b9e443e375c95cc0b93fdbaa8eec9ec4ccbc169b
SHA256

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607
SHA512

97602cea01dcf98aacb984617a8f4db638df814e912f6662440d45c29c7a8b2aa9ac35609a0c1906efc7218c99dbd150fb54df9e9fa21f1c5a34720b2adbd65b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qw:CcaClSFlG4ZM7QzM3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exeWScript.exe8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1568 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

1568 svchcst.exe
968 svchcst.exe
5036 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1568	svchcst.exe

pid	process
1568	svchcst.exe
968	svchcst.exe
5036	svchcst.exe

Modifies registry class 5 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exesvchcst.exe

pid	process
2392	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
2392	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe

pid process

2392 8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2392	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
2392	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
1568	svchcst.exe
1568	svchcst.exe
5036	svchcst.exe
5036	svchcst.exe
968	svchcst.exe
968	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2392 wrote to memory of 60	2392	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe	WScript.exe
PID 2392 wrote to memory of 60	2392	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe	WScript.exe
PID 2392 wrote to memory of 60	2392	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe	WScript.exe
PID 60 wrote to memory of 1568	60	WScript.exe	svchcst.exe
PID 60 wrote to memory of 1568	60	WScript.exe	svchcst.exe
PID 60 wrote to memory of 1568	60	WScript.exe	svchcst.exe
PID 1568 wrote to memory of 4248	1568	svchcst.exe	WScript.exe
PID 1568 wrote to memory of 4248	1568	svchcst.exe	WScript.exe
PID 1568 wrote to memory of 4248	1568	svchcst.exe	WScript.exe
PID 1568 wrote to memory of 3304	1568	svchcst.exe	WScript.exe
PID 1568 wrote to memory of 3304	1568	svchcst.exe	WScript.exe
PID 1568 wrote to memory of 3304	1568	svchcst.exe	WScript.exe
PID 3304 wrote to memory of 968	3304	WScript.exe	svchcst.exe
PID 3304 wrote to memory of 968	3304	WScript.exe	svchcst.exe
PID 3304 wrote to memory of 968	3304	WScript.exe	svchcst.exe
PID 4248 wrote to memory of 5036	4248	WScript.exe	svchcst.exe
PID 4248 wrote to memory of 5036	4248	WScript.exe	svchcst.exe
PID 4248 wrote to memory of 5036	4248	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
"C:\Users\Admin\AppData\Local\Temp\8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
71dc2f9d43eb7a048c840dff123a2a24

SHA1
57a5e5f651c376cffb533e59ce60454983a1991a

SHA256
ea24a1a3820cfab637fa28093c683b234e72697d84d33994f8dfffc6eeb9c25d

SHA512
87ee80b11de7fe8ee2edf34e3aa92ec9e34d4b2ea0cb3959f2feabf4e4f6ce7fbf28c0bbcd722085415740e4974b4d8432e641079c9b3886700eefa54a5dca84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59bdcf464bea140e82d7b175d7f595f8

SHA1
f8556faca0334717d0d5545b6d1372d2d8e16388

SHA256
a3241981f31b055d1c494f824a9007ea6e3964533ff9e2dd3d0f94d28e5c29ba

SHA512
92d816abce601d56d2e4788be9e61a3051e24033945747780421535299f796e6d70fab2001e1508dfc9f17b90123e121d5004a7986d7f04d21f064b2267a1856

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3603585559cb60e4447b9e2b3aca4652

SHA1
9d4464b64e32acb3ec3315e46eadf0c1bf3fdfe5

SHA256
42617b513a1d3a00ffd3313abc7d7f78a7ab204d78bff73f33b48e44cc350e8b

SHA512
eab8d942be6bb41d69d49a6c04da5a2854b33756d23181f3c2ba7508eb1d2c1aea94d1f23ed7a6d02863686c54ac6f6d21d6d727c018062b7dafbad39344c28b

Download Submit
memory/2392-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads