ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
Size

1.1MB
MD5

3eca58f6338d0b93115ea7ee89bd9058
SHA1

1c38d34ffff2458757dade65a0d680e77fc9a329
SHA256

ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5
SHA512

c203550174ee40161d5f3513a42f1d8efb385bb43e3751212d6787aa3eddb4be0b0f956f63419fb90f7552b0f93da7c77c1512413d9bc95bbd03b39dcbd1c73e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QL:acallSllG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2580	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2580	svchcst.exe
4976	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
2580	svchcst.exe
4976	svchcst.exe
2580	svchcst.exe
4976	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2416	4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe	86
PID 4304 wrote to memory of 2748	4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe	87
PID 4304 wrote to memory of 2748	4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe	87
PID 4304 wrote to memory of 2416	4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe	86
PID 4304 wrote to memory of 2416	4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe	86
PID 4304 wrote to memory of 2748	4304	ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe	87
PID 2748 wrote to memory of 2580	2748	WScript.exe	89
PID 2748 wrote to memory of 2580	2748	WScript.exe	89
PID 2748 wrote to memory of 2580	2748	WScript.exe	89
PID 2416 wrote to memory of 4976	2416	WScript.exe	90
PID 2416 wrote to memory of 4976	2416	WScript.exe	90
PID 2416 wrote to memory of 4976	2416	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe
"C:\Users\Admin\AppData\Local\Temp\ad07d4c625efba40ae35b69938060ae63e06e5514d50ec8a1440f80019c2cbe5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
18020396bc39adf2cb1a4bca2315c9b3

SHA1
2aac2b27c6b050287112598093168ee23d88e90c

SHA256
b7730e2f44ef077ef270407249e45bf11d1554164c51d622f2b878ddea8b595b

SHA512
1867c40aa00e6db65bb66556a1d3c89914f30b7871a63449faf6f9eb356eeee719dacdf6a0e3c3336f401b81464bc5522d4ef9ec0450908eb1c9f646cc8e0dd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
70a666e57910f45f6be5e1a2ff3beb9d

SHA1
fc679056ada313ba2d56f69f7e49f0bb451c7471

SHA256
d7b1f2ae44ebc2b4bc77f4e01ecdcdd09474579316a8422d08232006848f232f

SHA512
6b5863aeb2a556705eef2b3c4ac12c0056be5319dc8df41d52274337605dd0e932203bb6d14d6a9453377bebba08cd9f56c073e085a3304e5b1c12d7f859e6df

Download Submit
memory/2580-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4304-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4304-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4976-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4976-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download