871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0

Analysis

max time kernel
92s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
Size

1.1MB
MD5

8e30ac29fd4bf3562bbd8792c2abda79
SHA1

6718f17a36f532e62ddb47f834ff410d8ec98d93
SHA256

871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0
SHA512

16c7e090927e6ed67df735e7ca03213d2a82483092b268e36174da66c9aeac95deac02e191b6e5d794e28e08b2c6b65ee5b33dfea0ca89f16e2dde128a355bb6
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q1:acallSllG4ZM7QzMO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
952	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
952	svchcst.exe
4880	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe
952	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
952	svchcst.exe
952	svchcst.exe
4880	svchcst.exe
4880	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 4572	4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	87
PID 4372 wrote to memory of 4572	4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	87
PID 4372 wrote to memory of 4572	4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	87
PID 4372 wrote to memory of 3960	4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	86
PID 4372 wrote to memory of 3960	4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	86
PID 4372 wrote to memory of 3960	4372	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	86
PID 3960 wrote to memory of 952	3960	WScript.exe	95
PID 3960 wrote to memory of 952	3960	WScript.exe	95
PID 3960 wrote to memory of 952	3960	WScript.exe	95
PID 4572 wrote to memory of 4880	4572	WScript.exe	94
PID 4572 wrote to memory of 4880	4572	WScript.exe	94
PID 4572 wrote to memory of 4880	4572	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
"C:\Users\Admin\AppData\Local\Temp\871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fd1df595880bc2fb66dc38e4c16f164b

SHA1
eef4420678a86acfbe54415cea1c0251a6a5a3f0

SHA256
3ffb1e8697082ba21ef804414f0d11e490abfcfd85f9672ecffdfea34c13da94

SHA512
8d5720bcd56a0b1e951330f65fba72648b310480cb2af956effc059d1cc2db8eea3eb321a8c2d3f885cd9ab65cd455b8c0e4f83e5ed94974a020796a7e618d8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4026e4fbaf8da383414bab7fda3f3223

SHA1
1a5c5bc5c4bd3dafd2322c58f3fec136857cb03d

SHA256
132f718bf6c6f43d7e1a024bd3227a82b3a05256435e301fe9af6f92785d0497

SHA512
2c175f1390dd002a43530b9fb03367daecaf7db72086f455aa7595fb5d36591fed0887a04a0ae68695417bbad642d5df5d5ec09c3c0e3ce088f247dc2dded9fa

Download Submit
memory/952-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4372-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4372-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4880-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download