9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
Size

1.1MB
MD5

246ac5b65eb0805c6710ecb0f6779693
SHA1

86d9c2ee11163e3699d0e1e0136bc2c3ef49e594
SHA256

9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6
SHA512

91285b80dd99caa82ffdc0cfbbd198f738ea776767856632e971b7c0da0c5e099ee68a68d9fdeb1ac6006cf13e89b696d19561d60b2496f2f228aaee1f868add
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q7:CcaClSFlG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3888	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3888	svchcst.exe
2272	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
2272	svchcst.exe
2272	svchcst.exe
3888	svchcst.exe
3888	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2548	1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	87
PID 1252 wrote to memory of 2548	1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	87
PID 1252 wrote to memory of 2548	1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	87
PID 1252 wrote to memory of 2084	1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	86
PID 1252 wrote to memory of 2084	1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	86
PID 1252 wrote to memory of 2084	1252	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	86
PID 2084 wrote to memory of 3888	2084	WScript.exe	89
PID 2084 wrote to memory of 3888	2084	WScript.exe	89
PID 2084 wrote to memory of 3888	2084	WScript.exe	89
PID 2548 wrote to memory of 2272	2548	WScript.exe	90
PID 2548 wrote to memory of 2272	2548	WScript.exe	90
PID 2548 wrote to memory of 2272	2548	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
"C:\Users\Admin\AppData\Local\Temp\9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a62131f2fc9fda6c3da75b896401cacb

SHA1
d8b721c927ceffd4c6ed9977fc485f254f0e6438

SHA256
d12248791dee3fa4fbcd3bb9db984ba04be358365716a9ae94fcd053b430c567

SHA512
4fc0bac13ef19c9942026416900556696ecd54a34245780654f90a444e273aa429de6d31319615d0b69bccff6498b77d9ea236528e9c38ee712e5e62ac2daeef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
648f6a2c264356c5ddf3c3267436c141

SHA1
fe5cb76da22bdc2b3f066077be2ff52d7de6d90c

SHA256
9b20133740ec8a076898c465da5edd5d6ff96055c679ecc68f597aa4239dbf6c

SHA512
14b0056316b9a11d30e7572a7f9c56936ab3885f6ae35a47040a47b65c902728d5e775f69e8864193d686daf2f28eb5f07c7f079727b3fe15740a0e17486c687

Download Submit
memory/1252-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download