5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f

Analysis

max time kernel
138s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe
Size

1.1MB
MD5

b2bff650571bb932c61c6fd98bc5e494
SHA1

b7948104b5a3666c306a5ccbcddda30443ac6d63
SHA256

5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f
SHA512

f08f871201056ef1a96e259175123d0cdbf667f0ba5b58f7e9f77cccb013882ddb6299ed14a75504f7a571696bc8489b639ca6a7ca18a377ae34bc035b1adc18
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QU:CcaClSFlG4ZM7QzMj

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1644	svchcst.exe

Executes dropped EXE 32 IoCs

pid	Process
2760	svchcst.exe
2800	svchcst.exe
2640	svchcst.exe
2916	svchcst.exe
2820	svchcst.exe
2860	svchcst.exe
2620	svchcst.exe
2688	svchcst.exe
3068	svchcst.exe
3032	svchcst.exe
684	svchcst.exe
1644	svchcst.exe
2888	svchcst.exe
2264	svchcst.exe
1340	svchcst.exe
2428	svchcst.exe
2340	svchcst.exe
2768	svchcst.exe
3068	svchcst.exe
1316	svchcst.exe
1600	svchcst.exe
1744	svchcst.exe
1344	svchcst.exe
1708	svchcst.exe
2144	svchcst.exe
2720	svchcst.exe
2684	svchcst.exe
2620	svchcst.exe
1476	svchcst.exe
2868	svchcst.exe
2500	svchcst.exe
968	svchcst.exe

Loads dropped DLL 48 IoCs

pid	Process
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
2108	WScript.exe
320	WScript.exe
320	WScript.exe
2904	WScript.exe
408	WScript.exe
408	WScript.exe
2384	WScript.exe
2384	WScript.exe
2088	WScript.exe
2652	WScript.exe
2652	WScript.exe
2680	WScript.exe
2680	WScript.exe
2112	WScript.exe
2112	WScript.exe
1004	WScript.exe
1004	WScript.exe
1608	WScript.exe
1608	WScript.exe
2084	WScript.exe
2084	WScript.exe
2416	WScript.exe
2416	WScript.exe
2040	WScript.exe
2040	WScript.exe
1820	WScript.exe
1820	WScript.exe
1272	WScript.exe
1272	WScript.exe
1560	WScript.exe
1560	WScript.exe
1908	WScript.exe
1908	WScript.exe
2484	WScript.exe
2484	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe
2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe
2760	svchcst.exe
2760	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
684	svchcst.exe
684	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2340	svchcst.exe
2340	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
1316	svchcst.exe
1316	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1744	svchcst.exe
1744	svchcst.exe
1344	svchcst.exe
1344	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
1476	svchcst.exe
1476	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2108	2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe	30
PID 2120 wrote to memory of 2108	2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe	30
PID 2120 wrote to memory of 2108	2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe	30
PID 2120 wrote to memory of 2108	2120	5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe	30
PID 2108 wrote to memory of 2760	2108	WScript.exe	32
PID 2108 wrote to memory of 2760	2108	WScript.exe	32
PID 2108 wrote to memory of 2760	2108	WScript.exe	32
PID 2108 wrote to memory of 2760	2108	WScript.exe	32
PID 2108 wrote to memory of 2800	2108	WScript.exe	33
PID 2108 wrote to memory of 2800	2108	WScript.exe	33
PID 2108 wrote to memory of 2800	2108	WScript.exe	33
PID 2108 wrote to memory of 2800	2108	WScript.exe	33
PID 2108 wrote to memory of 2640	2108	WScript.exe	34
PID 2108 wrote to memory of 2640	2108	WScript.exe	34
PID 2108 wrote to memory of 2640	2108	WScript.exe	34
PID 2108 wrote to memory of 2640	2108	WScript.exe	34
PID 2108 wrote to memory of 2916	2108	WScript.exe	35
PID 2108 wrote to memory of 2916	2108	WScript.exe	35
PID 2108 wrote to memory of 2916	2108	WScript.exe	35
PID 2108 wrote to memory of 2916	2108	WScript.exe	35
PID 2108 wrote to memory of 2820	2108	WScript.exe	36
PID 2108 wrote to memory of 2820	2108	WScript.exe	36
PID 2108 wrote to memory of 2820	2108	WScript.exe	36
PID 2108 wrote to memory of 2820	2108	WScript.exe	36
PID 2108 wrote to memory of 2860	2108	WScript.exe	37
PID 2108 wrote to memory of 2860	2108	WScript.exe	37
PID 2108 wrote to memory of 2860	2108	WScript.exe	37
PID 2108 wrote to memory of 2860	2108	WScript.exe	37
PID 2108 wrote to memory of 2620	2108	WScript.exe	38
PID 2108 wrote to memory of 2620	2108	WScript.exe	38
PID 2108 wrote to memory of 2620	2108	WScript.exe	38
PID 2108 wrote to memory of 2620	2108	WScript.exe	38
PID 2108 wrote to memory of 2688	2108	WScript.exe	39
PID 2108 wrote to memory of 2688	2108	WScript.exe	39
PID 2108 wrote to memory of 2688	2108	WScript.exe	39
PID 2108 wrote to memory of 2688	2108	WScript.exe	39
PID 2108 wrote to memory of 3068	2108	WScript.exe	40
PID 2108 wrote to memory of 3068	2108	WScript.exe	40
PID 2108 wrote to memory of 3068	2108	WScript.exe	40
PID 2108 wrote to memory of 3068	2108	WScript.exe	40
PID 2108 wrote to memory of 3032	2108	WScript.exe	41
PID 2108 wrote to memory of 3032	2108	WScript.exe	41
PID 2108 wrote to memory of 3032	2108	WScript.exe	41
PID 2108 wrote to memory of 3032	2108	WScript.exe	41
PID 2108 wrote to memory of 684	2108	WScript.exe	42
PID 2108 wrote to memory of 684	2108	WScript.exe	42
PID 2108 wrote to memory of 684	2108	WScript.exe	42
PID 2108 wrote to memory of 684	2108	WScript.exe	42
PID 2108 wrote to memory of 1644	2108	WScript.exe	43
PID 2108 wrote to memory of 1644	2108	WScript.exe	43
PID 2108 wrote to memory of 1644	2108	WScript.exe	43
PID 2108 wrote to memory of 1644	2108	WScript.exe	43
PID 1644 wrote to memory of 320	1644	svchcst.exe	44
PID 1644 wrote to memory of 320	1644	svchcst.exe	44
PID 1644 wrote to memory of 320	1644	svchcst.exe	44
PID 1644 wrote to memory of 320	1644	svchcst.exe	44
PID 320 wrote to memory of 2888	320	WScript.exe	46
PID 320 wrote to memory of 2888	320	WScript.exe	46
PID 320 wrote to memory of 2888	320	WScript.exe	46
PID 320 wrote to memory of 2888	320	WScript.exe	46
PID 2888 wrote to memory of 2904	2888	svchcst.exe	47
PID 2888 wrote to memory of 2904	2888	svchcst.exe	47
PID 2888 wrote to memory of 2904	2888	svchcst.exe	47
PID 2888 wrote to memory of 2904	2888	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe
"C:\Users\Admin\AppData\Local\Temp\5733afee02c5008be9ed72dfc9314d580aaa206e32ee0bc08975ac8bf584d79f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2860
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2688
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ccd7cd5240bc1d9f00b19a7129ae2c9c

SHA1
745e8cff0074a87f21ad3f6da9a03ebb91e4b1ff

SHA256
5577e43fb37493e74fd142d08cc4403007bd58796a050d7f82eb11bab4d064c6

SHA512
e719a3448ede337060e6bfc5273d83bcfbb3e6db597afb4d94712873ddc4bfbcb64bd92c2d2481ddf6db4fb611473dd2cad29b5a6cd4e2175261c12dc59c8207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c06e950c1a9e9b7b973230e88460c7b6

SHA1
3437c40a22bc36a26e122dbcf2d24557da174e1d

SHA256
5e8c538a8617435d4a85063c3f12d45eefad859cc25efc6e8f60de1403b784af

SHA512
22cfde0c430c8d864d7f3b06f4f3f2c53fe7be8ba96a0fec6c2bfc68b777c517bd942badcf1216aeed397e6915b6065107452b7e4ab08e765955a98d12881c52

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5fda9fb323105f7b7947016a2f448ea6

SHA1
55ec474d05c70039ae385544f42a89d7ac6307f9

SHA256
b2cef87c2f4b8509b9c255796933ef51e98cc0045626599eac8e6c43548e96f9

SHA512
62d721a53d35f96fc198223552b6a38855b112440636b83ed08e7a7bcec0071b4b819721547a6ea7d64894616fc25e86271074e32a65465918abea9086f9943a

Download Submit
memory/2120-33-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download