3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23

Analysis

max time kernel
93s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
Size

1.1MB
MD5

5712aed5bdd1a99bdea6bbac170dedf2
SHA1

c5fc9906d4d6bc1ed520b28f074847426f43a519
SHA256

3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23
SHA512

884e89a4b44a0415477e309421fa48e1ea76141cc67a23efcdef394dff2128bf55dd067c82d3d1bdc4d3ad63fc66281b8c47d6d243067c9bc08c5d867513464b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzM4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
5072	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
816	svchcst.exe
5072	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe
5072	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
816	svchcst.exe
5072	svchcst.exe
816	svchcst.exe
5072	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 5100	1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	87
PID 1104 wrote to memory of 5100	1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	87
PID 1104 wrote to memory of 5100	1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	87
PID 1104 wrote to memory of 4816	1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	86
PID 1104 wrote to memory of 4816	1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	86
PID 1104 wrote to memory of 4816	1104	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	86
PID 4816 wrote to memory of 816	4816	WScript.exe	89
PID 4816 wrote to memory of 816	4816	WScript.exe	89
PID 4816 wrote to memory of 816	4816	WScript.exe	89
PID 5100 wrote to memory of 5072	5100	WScript.exe	90
PID 5100 wrote to memory of 5072	5100	WScript.exe	90
PID 5100 wrote to memory of 5072	5100	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
"C:\Users\Admin\AppData\Local\Temp\3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b2a6a97f056f3f930203a684d41b70b7

SHA1
5b30a45fb0ee3efe47fd23f14a5f7b0d1aaa5884

SHA256
920a41ab0463c8ff919df745a40004dbc8273a934aacaa7506a41d17ba129c3d

SHA512
a03e7c5ea0041b41127a093f6b11f427f835e9be8e5a4aba6d5464b1ec5749ebde9021d924332c88827e4f47c4883cb1bef977207ee12a16bea423bcd8587750

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d1738b4e1fd3c05df362f9d5f76001e3

SHA1
22c47679f34572f9fbe85c2111215928e044bd5f

SHA256
864155e260f531e4bb8f28919f6313f641347af7759831f10ad842fdfdf660c8

SHA512
ac5cdf5943c39e82cbe165d839d8424533a2eaee97ead27978eca83528bbcc6cc7e498bbfc97b851bd785f677b7c10da0089dc0b25c827f51172e115137a4863

Download Submit
memory/1104-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download