91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1

General

Target

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
Size

1.1MB
MD5

5aa11867bcfd05035fc2b2dbf1547c9a
SHA1

9d3703cff5101dc847d65c15b490440abed5c64b
SHA256

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1
SHA512

fa8ae84ab975187889301806cd3446fe5ad6050525ec83de60725004c75ed2aedc85f34e54e93bdd639afa0b6e848abc2865212554efa421152dbfd39bce2445
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1588 svchcst.exe
Executes dropped EXE 3 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exe

pid process

1588 svchcst.exe
4044 svchcst.exe
1620 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1588	svchcst.exe

pid	process
1588	svchcst.exe
4044	svchcst.exe
1620	svchcst.exe

Modifies registry class 5 IoCs

Processes:

svchcst.exeWScript.exeWScript.exe91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exesvchcst.exe

pid	process
2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe

pid process

2924 91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
1588	svchcst.exe
1588	svchcst.exe
1620	svchcst.exe
4044	svchcst.exe
1620	svchcst.exe
4044	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2924 wrote to memory of 3304	2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe	WScript.exe
PID 2924 wrote to memory of 3304	2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe	WScript.exe
PID 2924 wrote to memory of 3304	2924	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe	WScript.exe
PID 3304 wrote to memory of 1588	3304	WScript.exe	svchcst.exe
PID 3304 wrote to memory of 1588	3304	WScript.exe	svchcst.exe
PID 3304 wrote to memory of 1588	3304	WScript.exe	svchcst.exe
PID 1588 wrote to memory of 1436	1588	svchcst.exe	WScript.exe
PID 1588 wrote to memory of 1436	1588	svchcst.exe	WScript.exe
PID 1588 wrote to memory of 1436	1588	svchcst.exe	WScript.exe
PID 1588 wrote to memory of 884	1588	svchcst.exe	WScript.exe
PID 1588 wrote to memory of 884	1588	svchcst.exe	WScript.exe
PID 1588 wrote to memory of 884	1588	svchcst.exe	WScript.exe
PID 1436 wrote to memory of 4044	1436	WScript.exe	svchcst.exe
PID 1436 wrote to memory of 4044	1436	WScript.exe	svchcst.exe
PID 1436 wrote to memory of 4044	1436	WScript.exe	svchcst.exe
PID 884 wrote to memory of 1620	884	WScript.exe	svchcst.exe
PID 884 wrote to memory of 1620	884	WScript.exe	svchcst.exe
PID 884 wrote to memory of 1620	884	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
"C:\Users\Admin\AppData\Local\Temp\91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
005c6a907c2ed3eb79f045dce343b983

SHA1
d9b6cfa59efe1af05200d1edbed38e3630b301c3

SHA256
7bd5de77292605edbeb75c453d060c4b3ec33b23aeb0fa638d78240cffba0977

SHA512
c5ba6ec95705c5f603683121886680d51ec5b12954599402c44002e0dc493d3ccc24b4299cd5fea2fc021c89f7ba348ec43d0748880f00cb2ec2a57c560adac8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c9ad2282110113f1607d400f40c5a41b

SHA1
8733f767a8871af38851d885dc6ebabd7a2d5015

SHA256
5ba60c644b6fb68a703aab6af97969972fc815b422a2e1b98e9c7faf035dc55a

SHA512
83b96363fa87167ee20ef44f4a86527f4bd026391b32109099ec348efa31f59ce0fb91f11337571c1f98fe0df1f9f92c74b01e47c4c0c2bfe759c44cc18b5363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4252dc5d0e278dfedc05d47d776a1ceb

SHA1
aae3116041b4acad9e1bf434e3c5465d23a5b185

SHA256
3dc4d9ae0bf333471a548983dbd09cb8f6e0c99cc1fb7233fb094d5453ffa52d

SHA512
090d9b55dd96da3d4739d2c50613e67b73196594c985373daf2383661d8acd0749ae286917c5f88259ef2631999d96c8b26c9e51dfc8fe8d5d5c8939fc68d578

Download Submit
memory/2924-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads