b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9

General

Target

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
Size

1.1MB
MD5

579b0058d6e634e57449ca00f9e5fdab
SHA1

77e81ea389e7aa91bd0f0f3edf7c5216f72950e3
SHA256

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9
SHA512

391cd5d9bc1ed28ec8e4dc108ee80cc5adb8394399a66655584633187d902803c85bef1da24826c89580dc5a13a15621a521a154686e06f08960248bbc357443
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qh:CcaClSFlG4ZM7QzMC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1028 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

1028 svchcst.exe
3332 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1028	svchcst.exe

pid	process
1028	svchcst.exe
3332	svchcst.exe

Modifies registry class 3 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exesvchcst.exe

pid	process
3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe

pid process

3148 b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exesvchcst.exesvchcst.exe

pid	process
3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
1028	svchcst.exe
1028	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exeWScript.exeWScript.exe

description	pid	process	target process
PID 3148 wrote to memory of 4744	3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 3148 wrote to memory of 4744	3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 3148 wrote to memory of 4744	3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 3148 wrote to memory of 4408	3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 3148 wrote to memory of 4408	3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 3148 wrote to memory of 4408	3148	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 4408 wrote to memory of 1028	4408	WScript.exe	svchcst.exe
PID 4408 wrote to memory of 1028	4408	WScript.exe	svchcst.exe
PID 4408 wrote to memory of 1028	4408	WScript.exe	svchcst.exe
PID 4744 wrote to memory of 3332	4744	WScript.exe	svchcst.exe
PID 4744 wrote to memory of 3332	4744	WScript.exe	svchcst.exe
PID 4744 wrote to memory of 3332	4744	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
"C:\Users\Admin\AppData\Local\Temp\b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b14369e17f56fa5531afccfb3d460838

SHA1
f7226cc841dba0d597ed79d5541790bf69385266

SHA256
116c4b40f3741ee0aff236f9827c80002ae3341e652255f50b63f0b7901605be

SHA512
4b50fff1d89ba642abccc585d1c36ce20447c613c2ac474f8406cd3a08f9c96b0780a91bae49f2d3dc90052d6e4ec97ec67dda326bb9abd1e635b13757c0a494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
43cc6ea1d828fe54d2fef2c9bab3a438

SHA1
da064a622d250486717c68c896c992ec7f2607ae

SHA256
9281d2bef070ef6704d855e5331a6c990bef799a6177652c79b5536dd0bddbef

SHA512
943db8b70cbe0d6852f827965b9ae6f02eb6fbdc9826b2ecdbbdaa5f52bf7177d060b8e24a3a178b370fe80eee4f49698e33dc3efd181101c0440a8c87eee81c

Download Submit
memory/3148-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads