99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06

General

Target

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
Size

1.1MB
MD5

09fc4e2ff1c048f4fc346a8d61d6f203
SHA1

3f0743f92c439bbbd600320ab231c517e1a530fb
SHA256

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06
SHA512

752ed67aebbea9087122df1e8d991241707b216e0af6cfaf03561dfa7c49a5cf6e62ed08cddbb435ba0ed7fa96481cbbeb19d5981f418c66d92821cb8635715f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qj:CcaClSFlG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

4048 svchcst.exe
Executes dropped EXE 4 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid process

4048 svchcst.exe
1572 svchcst.exe
3216 svchcst.exe
2344 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4048	svchcst.exe

pid	process
4048	svchcst.exe
1572	svchcst.exe
3216	svchcst.exe
2344	svchcst.exe

Modifies registry class 7 IoCs

Processes:

WScript.exe99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exesvchcst.exe

pid	process
624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe
4048	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe

pid process

624 99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
4048	svchcst.exe
4048	svchcst.exe
1572	svchcst.exe
1572	svchcst.exe
3216	svchcst.exe
3216	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 624 wrote to memory of 3972	624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe	WScript.exe
PID 624 wrote to memory of 3972	624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe	WScript.exe
PID 624 wrote to memory of 3972	624	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe	WScript.exe
PID 3972 wrote to memory of 4048	3972	WScript.exe	svchcst.exe
PID 3972 wrote to memory of 4048	3972	WScript.exe	svchcst.exe
PID 3972 wrote to memory of 4048	3972	WScript.exe	svchcst.exe
PID 4048 wrote to memory of 2484	4048	svchcst.exe	WScript.exe
PID 4048 wrote to memory of 2484	4048	svchcst.exe	WScript.exe
PID 4048 wrote to memory of 2484	4048	svchcst.exe	WScript.exe
PID 2484 wrote to memory of 1572	2484	WScript.exe	svchcst.exe
PID 2484 wrote to memory of 1572	2484	WScript.exe	svchcst.exe
PID 2484 wrote to memory of 1572	2484	WScript.exe	svchcst.exe
PID 1572 wrote to memory of 4052	1572	svchcst.exe	WScript.exe
PID 1572 wrote to memory of 4052	1572	svchcst.exe	WScript.exe
PID 1572 wrote to memory of 4052	1572	svchcst.exe	WScript.exe
PID 1572 wrote to memory of 1512	1572	svchcst.exe	WScript.exe
PID 1572 wrote to memory of 1512	1572	svchcst.exe	WScript.exe
PID 1572 wrote to memory of 1512	1572	svchcst.exe	WScript.exe
PID 1512 wrote to memory of 2344	1512	WScript.exe	svchcst.exe
PID 1512 wrote to memory of 2344	1512	WScript.exe	svchcst.exe
PID 1512 wrote to memory of 2344	1512	WScript.exe	svchcst.exe
PID 4052 wrote to memory of 3216	4052	WScript.exe	svchcst.exe
PID 4052 wrote to memory of 3216	4052	WScript.exe	svchcst.exe
PID 4052 wrote to memory of 3216	4052	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
"C:\Users\Admin\AppData\Local\Temp\99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
40146c04137343cccf6c8d32d3d23cfa

SHA1
a745bfc74e11eaf255562c71ffd39f7bc190e224

SHA256
285bf136b11d9a556ccbb887eb59106829aef5e788a75036fb2176e04bb33e85

SHA512
924283f47ebdbbc706a30cc0a594028966f34b12cea1c1b984f39a60d547b6035ca13505aca51cfebd3c2497d8aafdb9b6539ea449cd00dafc3657094ca8a3ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5ddce97a89f710df253f719fbfab1431

SHA1
bb74f4ba92f800aea78ab477921a7e5a7d928c42

SHA256
18cdecba2fb514f982c21f87800b5ed5b1a4d8e383f60ec2f4627597e388cf3c

SHA512
3b5a31084fff38a49ba677710463bc5a4175ea96c8d31bfcb19e3671032ae91193be05d35f79f4d8539b5e87f09047ebd968644f5b95f3f09c51f3d09d38d6f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3396571bd6fe7369b8c1698bde464038

SHA1
60ea9b14b63ef40b5576d65ff6e2a99f1d4a1dcd

SHA256
ada4d03cff8fe39eb0657837119e9bbff665fefc668dad54bc708b7a92634163

SHA512
34eac736f1a6b5efe6f6b2c8ba5f95d29b46ff5efc0ac554cdf7301346b9321aaa6cf7b92a5b84a260f4f00a3a9eee564e71674597c8358af09b45baa595fb07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
13e2f1c9e8124fd72174f1db46e97525

SHA1
e4bf8fb4c440b82f15bed4afc3ce346b37b30ac4

SHA256
15f43a543a13ada00e96e6daaa25b97e95ef8547649b1014a95c6e295ba83989

SHA512
fd7a000d329d2aca6b91413c5091b6cdbe094feed9da98cd68cc0b45cc17194efd4092eb2baa7a76169f0ce97730710f6743807706ab7f8576e8987ac84d70f4

Download Submit
memory/624-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads