8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
Size

1.1MB
MD5

0726548110e97d62eca6baaf0568d904
SHA1

de55e77592dfcdcbbb5bd119adff8d7b664bdc91
SHA256

8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b
SHA512

ed33c1c9f5b2e1aeb1148e65f2ae58ba9c26cabe57612a862e1bb6fb6daa085762e8f87a44a7232877d1a6fe9f8104ba5ed333ab92950185f27c88ad72d031d4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QD:CcaClSFlG4ZM7QzME

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe

Deletes itself 1 IoCs

pid	Process
1008	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4452	svchcst.exe
1008	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
1008	svchcst.exe
1008	svchcst.exe
4452	svchcst.exe
4452	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 4560	2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	87
PID 2232 wrote to memory of 4560	2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	87
PID 2232 wrote to memory of 4560	2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	87
PID 2232 wrote to memory of 3396	2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	86
PID 2232 wrote to memory of 3396	2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	86
PID 2232 wrote to memory of 3396	2232	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	86
PID 4560 wrote to memory of 4452	4560	WScript.exe	95
PID 4560 wrote to memory of 4452	4560	WScript.exe	95
PID 4560 wrote to memory of 4452	4560	WScript.exe	95
PID 3396 wrote to memory of 1008	3396	WScript.exe	94
PID 3396 wrote to memory of 1008	3396	WScript.exe	94
PID 3396 wrote to memory of 1008	3396	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
"C:\Users\Admin\AppData\Local\Temp\8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
81a9bbc999ea5e8f55b43be0077c12f5

SHA1
ab5c841f3fdce138c246342cd9787b7597bd2a29

SHA256
8e51bbf5b2edf7f39792f5bfb9bf7a7bd9e7d23bc94e264197b979b10f585881

SHA512
a64e10d3b5a03c603317a29a4bfac61bc09c3866250a79d5d11ea986b820793406278f641aa4c002b905b305367ef3b426b381009875b655a9cc488cc7c84c92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
45c7720c0ee07f54d2735c7c365f2677

SHA1
6991309442a861ac9ac573604a020f4be72d493e

SHA256
b1dda62fa46bbd844bd28ebe9a980e5e43062be106a9a2a1bad31813f3d81f8a

SHA512
96d06dd1575ccb554b58512cc66c0f9a5043868caa2c75c4ffc417f3f6e75cb3cf61259afb184529dc3af2febf967fcd761a36941da41b095f4973047df4a99d

Download Submit
memory/2232-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download