381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c

Analysis

max time kernel
126s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 22:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
Size

1.1MB
MD5

41865b6693a654578ab1e860b6148b1b
SHA1

6f997a3d9964442ada990aa88337f9f5006b0e3d
SHA256

381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c
SHA512

d55fa6f0d6ffabe182e5d408c76903ca028a9e9387d6c955f952049795221d310d00c38bd0c6c38f3589f4c9700e51830ef54ca1245c036fd6f5625d84dcc5e0
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qb:CcaClSFlG4ZM7QzMM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe

Deletes itself 1 IoCs

pid	Process
2392	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1756	svchcst.exe
2392	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
1756	svchcst.exe
2392	svchcst.exe
1756	svchcst.exe
2392	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1092	1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe	86
PID 1596 wrote to memory of 1092	1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe	86
PID 1596 wrote to memory of 1092	1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe	86
PID 1596 wrote to memory of 1072	1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe	87
PID 1596 wrote to memory of 1072	1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe	87
PID 1596 wrote to memory of 1072	1596	381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe	87
PID 1092 wrote to memory of 1756	1092	WScript.exe	89
PID 1092 wrote to memory of 1756	1092	WScript.exe	89
PID 1092 wrote to memory of 1756	1092	WScript.exe	89
PID 1072 wrote to memory of 2392	1072	WScript.exe	90
PID 1072 wrote to memory of 2392	1072	WScript.exe	90
PID 1072 wrote to memory of 2392	1072	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe
"C:\Users\Admin\AppData\Local\Temp\381aacc814aa791a1f279689e86e1a719bf703a7f81c7f3d6cd299a6e059d48c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
90b2de8ebefa1872501bb890252f586c

SHA1
e5eb0717e54cf7fe7f6e1107193c0032c371365c

SHA256
8981f305a6342a32c774c309f07ad7b2b8e9605215f0578eb490a47b0e1681c1

SHA512
42068f1b9de955afc74e78aea1340270a9c6d3b5269de3b9e84614d9a16090d583adb99b5eeee145dc731c6998f2451bd033b89a2fb9efd895b26b28e72963f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
78637c767c8fb15554ca7c4f29596ee6

SHA1
67240e76b4e2d2d09cb221f815e786d880789cf4

SHA256
0a13d59c25af057a53a93bbf27a6191ef4882e3bf1930c1c23b8c1cdd665ad31

SHA512
b296b71fe08e5d8e4d6b040c3b15b567bf2e8ed62815c62c3c95edc01b36ac0331e3be27c26ba81c9e5043df8837b01fcb572e9181411de49d968707806d6e27

Download Submit
memory/1596-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download