23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 20:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
Size

1.1MB
MD5

9568267dabcdb29d3d7f345c3a2bb10e
SHA1

6582868df0a386cc776accbfc14ae3b066e4f1c2
SHA256

23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a
SHA512

7a75f247ec57493369519d2ba8553bd660534ed88541be44330d1a07427fe0c782584ca542139566b59de19b66448d2ff7095f13746169eeefa1ac9214298bb8
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qk:CcaClSFlG4ZM7QzMD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2656	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	svchcst.exe
2816	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
2656	svchcst.exe
2656	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4552	1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe	85
PID 1656 wrote to memory of 3564	1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe	86
PID 1656 wrote to memory of 3564	1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe	86
PID 1656 wrote to memory of 3564	1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe	86
PID 1656 wrote to memory of 4552	1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe	85
PID 1656 wrote to memory of 4552	1656	23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe	85
PID 4552 wrote to memory of 2656	4552	WScript.exe	94
PID 4552 wrote to memory of 2656	4552	WScript.exe	94
PID 4552 wrote to memory of 2656	4552	WScript.exe	94
PID 3564 wrote to memory of 2816	3564	WScript.exe	95
PID 3564 wrote to memory of 2816	3564	WScript.exe	95
PID 3564 wrote to memory of 2816	3564	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe
"C:\Users\Admin\AppData\Local\Temp\23f675521896993ee87f73c49588a27d2eebe7d8f44e57d5a7b93c74c87cc83a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ff1d3625911ca42a1b2d9dabec01042b

SHA1
cbd45a48fb3954af4968225c3fcd8f32ab156db6

SHA256
fa8b137b5e7e25823fbaccd1cff3924a43d99601f08e1dd2208f7c005563ed2b

SHA512
f7d94aa6ee83f04cc8adad6b95600e914d62ba010f8e0424c71a03aefc2d06a17cbe120fff389205a5f732aae5ddd921a5b170d56b5cb03ddcf8e8d1d28fed67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cf28bd9d6d6e5f26a523a184c970d96a

SHA1
01d58709e49147dbd0b7bc41a464de8309ff7d3d

SHA256
d64f4eb6ce481769d440f825beb74fa36adba4fbea318a421a9d6ac78d696b98

SHA512
0b1028d9eecb4414852fef3fd99e379a3eeb4ba1f9385e757f5ea0d439be2e95e43523f1beae45d08e7e863926a47b00e71de8ba726f05a8dddc30174795240e

Download Submit
memory/1656-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download