7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea

Analysis

max time kernel
93s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
Size

1.1MB
MD5

eb906ce057f17f552d4e6477c03cbe61
SHA1

073cccfc9ee1bde6a924fbf1a09ce467181c843f
SHA256

7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea
SHA512

e96887ad7dfa5378ef1e716203d233d56d33690e7b0f27a50a1b45e5b0e8293252129fb466b810d11ebfa703edd208aae7439c17aa1c2b98ae91f9a94a90e8df
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:CcaClSFlG4ZM7QzMG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe

Deletes itself 1 IoCs

pid	Process
2600	svchcst.exe

Executes dropped EXE 16 IoCs

pid	Process
4912	svchcst.exe
4880	svchcst.exe
4508	svchcst.exe
2284	svchcst.exe
4944	svchcst.exe
3464	svchcst.exe
2148	svchcst.exe
5040	svchcst.exe
2932	svchcst.exe
2140	svchcst.exe
4112	svchcst.exe
316	svchcst.exe
4176	svchcst.exe
4564	svchcst.exe
2600	svchcst.exe
3444	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
4912	svchcst.exe
4912	svchcst.exe
4880	svchcst.exe
4880	svchcst.exe
4508	svchcst.exe
4508	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
4944	svchcst.exe
3464	svchcst.exe
4944	svchcst.exe
3464	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
4112	svchcst.exe
4112	svchcst.exe
316	svchcst.exe
316	svchcst.exe
4176	svchcst.exe
4176	svchcst.exe
4564	svchcst.exe
4564	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
3444	svchcst.exe
3444	svchcst.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2000	4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe	87
PID 4164 wrote to memory of 1548	4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe	86
PID 4164 wrote to memory of 2000	4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe	87
PID 4164 wrote to memory of 1548	4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe	86
PID 4164 wrote to memory of 2000	4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe	87
PID 4164 wrote to memory of 1548	4164	7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe	86
PID 1548 wrote to memory of 4912	1548	WScript.exe	89
PID 1548 wrote to memory of 4912	1548	WScript.exe	89
PID 1548 wrote to memory of 4912	1548	WScript.exe	89
PID 2000 wrote to memory of 4880	2000	WScript.exe	90
PID 2000 wrote to memory of 4880	2000	WScript.exe	90
PID 2000 wrote to memory of 4880	2000	WScript.exe	90
PID 1548 wrote to memory of 4508	1548	WScript.exe	91
PID 1548 wrote to memory of 4508	1548	WScript.exe	91
PID 1548 wrote to memory of 4508	1548	WScript.exe	91
PID 2000 wrote to memory of 2284	2000	WScript.exe	92
PID 2000 wrote to memory of 2284	2000	WScript.exe	92
PID 2000 wrote to memory of 2284	2000	WScript.exe	92
PID 1548 wrote to memory of 4944	1548	WScript.exe	93
PID 1548 wrote to memory of 4944	1548	WScript.exe	93
PID 1548 wrote to memory of 4944	1548	WScript.exe	93
PID 2000 wrote to memory of 3464	2000	WScript.exe	94
PID 2000 wrote to memory of 3464	2000	WScript.exe	94
PID 2000 wrote to memory of 3464	2000	WScript.exe	94
PID 1548 wrote to memory of 2148	1548	WScript.exe	95
PID 1548 wrote to memory of 2148	1548	WScript.exe	95
PID 1548 wrote to memory of 2148	1548	WScript.exe	95
PID 2000 wrote to memory of 5040	2000	WScript.exe	96
PID 2000 wrote to memory of 5040	2000	WScript.exe	96
PID 2000 wrote to memory of 5040	2000	WScript.exe	96
PID 1548 wrote to memory of 2932	1548	WScript.exe	97
PID 1548 wrote to memory of 2932	1548	WScript.exe	97
PID 1548 wrote to memory of 2932	1548	WScript.exe	97
PID 2000 wrote to memory of 2140	2000	WScript.exe	98
PID 2000 wrote to memory of 2140	2000	WScript.exe	98
PID 2000 wrote to memory of 2140	2000	WScript.exe	98
PID 1548 wrote to memory of 4112	1548	WScript.exe	99
PID 1548 wrote to memory of 4112	1548	WScript.exe	99
PID 1548 wrote to memory of 4112	1548	WScript.exe	99
PID 2000 wrote to memory of 316	2000	WScript.exe	100
PID 2000 wrote to memory of 316	2000	WScript.exe	100
PID 2000 wrote to memory of 316	2000	WScript.exe	100
PID 1548 wrote to memory of 4176	1548	WScript.exe	101
PID 1548 wrote to memory of 4176	1548	WScript.exe	101
PID 1548 wrote to memory of 4176	1548	WScript.exe	101
PID 2000 wrote to memory of 4564	2000	WScript.exe	102
PID 2000 wrote to memory of 4564	2000	WScript.exe	102
PID 2000 wrote to memory of 4564	2000	WScript.exe	102
PID 1548 wrote to memory of 2600	1548	WScript.exe	103
PID 1548 wrote to memory of 2600	1548	WScript.exe	103
PID 1548 wrote to memory of 2600	1548	WScript.exe	103
PID 2000 wrote to memory of 3444	2000	WScript.exe	104
PID 2000 wrote to memory of 3444	2000	WScript.exe	104
PID 2000 wrote to memory of 3444	2000	WScript.exe	104

C:\Users\Admin\AppData\Local\Temp\7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe
"C:\Users\Admin\AppData\Local\Temp\7ca5bc89a7d5d3008494d74d1a4373fad7944214a5006860442564e1eb8a1dea.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4508
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4944
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2148
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4112
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4176
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2284
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3464
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2140
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:316
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c49c2645b64abe9cda9ed95117944d10

SHA1
ddbbc4a2d115dec6ff46a6d73943e6b808646cb6

SHA256
2eac917ea6e03816eff5f8d9e37f2afe40d485ce1c3bf25e9ccf23a6d4261846

SHA512
fb0ea5ac75c7ee9b8de68a389802a85b1684f4785faf3144a3128e51d2a232d2004da98dbd5adea3efb4a0df43f999384205f24d14caa38d6692ca67c95dec66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
886ca2a3271862e9f122f55cd7635da6

SHA1
17a9f63f90f20413d25863d10c01e54dd0a0a911

SHA256
bf7941b280947c448e1dee8c0272e56699500feca63ee683c1ff92e7b82da921

SHA512
62fcddb8d7d46223d7334c577823cbd25305377633e818e11a99f4ef9453c784afaf3f3e2f5093cffa117ab75c4c348c80b6a44f6a588e7e55a34091e038450e

Download Submit
memory/4164-27-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download