093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
Size

1.1MB
MD5

416665dc85736f7667e544e0aa830fda
SHA1

c602e02564cc3c6283aac2838ab40201b69f20d5
SHA256

093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2
SHA512

737bf453a1446c183642d16c87c50f3b1af9b0d93bb6aafca30525c0c4bcbb04739945e54eb7452cde0a1f7c5f211634623ab0a8521d384bf25d95316c47584b
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QQ:acallSllG4ZM7QzM3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
644	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
644	svchcst.exe
2352	svchcst.exe
2420	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe
644	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
644	svchcst.exe
644	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 2968	3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	88
PID 3992 wrote to memory of 2968	3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	88
PID 3992 wrote to memory of 2968	3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	88
PID 3992 wrote to memory of 1460	3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	87
PID 3992 wrote to memory of 1460	3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	87
PID 3992 wrote to memory of 1460	3992	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	87
PID 1460 wrote to memory of 644	1460	WScript.exe	94
PID 1460 wrote to memory of 644	1460	WScript.exe	94
PID 1460 wrote to memory of 644	1460	WScript.exe	94
PID 644 wrote to memory of 1352	644	svchcst.exe	95
PID 644 wrote to memory of 1352	644	svchcst.exe	95
PID 644 wrote to memory of 1352	644	svchcst.exe	95
PID 644 wrote to memory of 1456	644	svchcst.exe	96
PID 644 wrote to memory of 1456	644	svchcst.exe	96
PID 644 wrote to memory of 1456	644	svchcst.exe	96
PID 1352 wrote to memory of 2352	1352	WScript.exe	99
PID 1352 wrote to memory of 2352	1352	WScript.exe	99
PID 1352 wrote to memory of 2352	1352	WScript.exe	99
PID 1456 wrote to memory of 2420	1456	WScript.exe	100
PID 1456 wrote to memory of 2420	1456	WScript.exe	100
PID 1456 wrote to memory of 2420	1456	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
"C:\Users\Admin\AppData\Local\Temp\093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cbcfddb745d33d8b880c26d0435da6de

SHA1
480ddb66f5a462cedca5539be8b16e070d3cb7a5

SHA256
7758f9b1c25ed3ca42d1084054b9680cac2dbb8fbc28d8cd1e1c1199b0efa2ab

SHA512
05e0ce06776d058492c1b942ada433f78f6237e36692593ee3d61146e0e1bd5ebb0089184d2338ba4e65c21c6e9265de261ef70b6ab850f05c1afed297be67ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d7899a98349c12cab8a9036d9a8b9bf3

SHA1
4995cafe7441661113132bb3a13c030df3a08186

SHA256
8d33ed65f124301dab741efd22c6deff5ac342738ee642a77498158e9457dd16

SHA512
a4a137746c91c7fb6e552af5e3ec2817ea39c4ab1b19a1cea012899cf64757051bd9b2d996809e594a1d2150a4a94600d9b782b3abe600a376ce621b1898935a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
68b7d400bf76f840ff6ef9cfa7bbf018

SHA1
96504219a9ea759817e44f866d8fce4ea66ce6ff

SHA256
f856c2314509d9c2d75d21c4448445115c20e0b1d9edb1d25fa6819e244dd0d0

SHA512
44369970f4879d42d09ac453994043e47b2b36477d0f7d210460ec66a6189fb93c5926f1e6ab29f8fc8ab827a49dd48da6ef6713cf157ffda9780a5abafe3e85

Download Submit
memory/644-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3992-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3992-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download