b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6

Analysis

max time kernel
120s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
Size

1.1MB
MD5

f0428b79614d60ee4b26ed8dda91053f
SHA1

bab09a95511d12d91d21448a1cf2bcca71953f0f
SHA256

b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6
SHA512

8e7f8fa5f0dbca19d2e360798de671be8f7fc6db51d81d0d8d2e260539b78fce1ad4e5c7913eb64cb2a74a9c2e4a36584af8aca05ea079e94761641ebf121a8e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzM7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe

Deletes itself 1 IoCs

pid	Process
1720	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1720	svchcst.exe
3452	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
1720	svchcst.exe
1720	svchcst.exe
3452	svchcst.exe
3452	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1724	1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe	87
PID 1432 wrote to memory of 1724	1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe	87
PID 1432 wrote to memory of 1724	1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe	87
PID 1432 wrote to memory of 4564	1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe	88
PID 1432 wrote to memory of 4564	1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe	88
PID 1432 wrote to memory of 4564	1432	b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe	88
PID 4564 wrote to memory of 1720	4564	WScript.exe	93
PID 4564 wrote to memory of 1720	4564	WScript.exe	93
PID 4564 wrote to memory of 1720	4564	WScript.exe	93
PID 1724 wrote to memory of 3452	1724	WScript.exe	92
PID 1724 wrote to memory of 3452	1724	WScript.exe	92
PID 1724 wrote to memory of 3452	1724	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe
"C:\Users\Admin\AppData\Local\Temp\b8cbed1c61f8769960e4d1428cb621a5619dbbc710baeacfa1fca385ef5c5cc6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
93b6b3652262a2e65f50923a52745e65

SHA1
823d252f97c070f6094289277966f456f4684a25

SHA256
2acf49ef8327c895234a68f78377b7f153ef34838d3d8b58227a34cb4156c661

SHA512
3b5b9523187b590ba2aeefcdb7feb2b5a799ced3f0bc03c5fd6761f179896df3e3b0b69930c18c4a0590c499a8407cc8385759757b3466fd48b753103c2b46b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6dfc3e7048970c6bb027f54276027574

SHA1
2bb52c53e624f868f11a5e5e5e1cd151fca13ecf

SHA256
7578431174ce0d364ed6016cc6bca9a986b590119bcbed2c321236b973b73da2

SHA512
275c072d2bfcef1c95e977c2a346ee886b8200fae304dbef5a577d1be43e9f9c33a10203e03639538be3dd8b752180a809cacce40d9176ecf703d30749a96834

Download Submit
memory/1432-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1432-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3452-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download