Analysis Overview
SHA256
6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588eb
Threat Level: Shows suspicious behavior
The file 6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Checks computer location settings
Adds Run key to start application
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 10:27
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 10:27
Reported
2024-11-07 10:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2980 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2980 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2980 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2980 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe
"C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
| Country | Destination | Domain | Proto |
| CN | 123.249.45.239:9900 | tcp | |
| CN | 123.249.45.239:9900 | tcp | |
| CN | 123.249.45.239:9900 | tcp | |
| CN | 123.249.45.239:9900 | tcp | |
| CN | 123.249.45.239:9900 | tcp | |
| CN | 123.249.45.239:9900 | tcp |
Files
memory/2980-0-0x0000000000400000-0x000000000054E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 1ad8d14bdca2c5d707f6f300e36e4eec |
| SHA1 | 8e1e1c7bc3c6c744a7611981b6a868901c1eca3b |
| SHA256 | 7630a9b1260b8a03d7c27520e3e395797b824c4391e4ea7b8e29e1d057995cbe |
| SHA512 | a57b1aaa29a9ee63d0a584a5659518aca335705884b6d98574a873af4faf82df5e1b6b1d793ad33607a9d5540be14c17004001d9742ab66c667212fa186ad5fd |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | d5a4690f6c616abb87f13dc81b1c83bc |
| SHA1 | 5fb2f5fa4952ecd6f4729f060188503146dd6e75 |
| SHA256 | 51d50c5d05e5082562a4eb2001097223bf0bbb7b4421606fc9e2b6aa0b155c1c |
| SHA512 | 1f3b2253b02d34cc212df96364b18dd03814af014be0d43a35abf75fe09da0b4d0e96bd6e45ee03524faac2ef4cbbf90caf784c6385ddbc3d88fbfc855f0926d |
memory/2980-15-0x0000000000400000-0x000000000054E000-memory.dmp
memory/2980-18-0x0000000000400000-0x000000000054E000-memory.dmp
memory/2980-21-0x0000000000400000-0x000000000054E000-memory.dmp
memory/2980-25-0x0000000000400000-0x000000000054E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 0a09f354748324840a98a09a15172fb8 |
| SHA1 | 41dc1d5cb5f99590ea7b83516be4ca616707932a |
| SHA256 | 31a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d |
| SHA512 | f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8 |
memory/2980-28-0x0000000000400000-0x000000000054E000-memory.dmp
memory/2980-31-0x0000000000400000-0x000000000054E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 10:27
Reported
2024-11-07 10:29
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
116s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe
"C:\Users\Admin\AppData\Local\Temp\6e7d0ed3b46c8d0fe79c0cb8309600c04d28b1846990d2addc48e58c797588ebN.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CN | 123.249.45.239:9900 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| CN | 123.249.45.239:9900 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| CN | 123.249.45.239:9900 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CN | 123.249.45.239:9900 | tcp | |
| CN | 123.249.45.239:9900 | tcp | |
| CN | 123.249.45.239:9900 | tcp |
Files
memory/1940-0-0x0000000000400000-0x000000000054E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 02c869d11dd3d594a128660ee4cedf9c |
| SHA1 | 0fa985c07c44e7803fa47c1508972dcf8e3b286c |
| SHA256 | c80331bc02c9f6d9f0d5811863a7b5bee2810029c72de5ee50c821b3bdc10e00 |
| SHA512 | 22eda3844cc4320eb9df3b04bd4fd7f7076c6bdca1e557635929154bda6cd5f83ca26ea1d0041b427e6738a2f1d60a002190c26170e9194d9d263a69fc057203 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 9fca337cf6fe723608c0bbd379af404e |
| SHA1 | b56dd405334b097102ffa2b4158d1eb6a10d52c7 |
| SHA256 | 7320fc0fff04016d800a6cc2523321f512235fd3ddd4f4857e69907608d475eb |
| SHA512 | 6fcd0775f83da7a558dd43917fd68224c5654f57158ac6856a88ceeb43a838ff04d36b1b22618c84ab4c3c2f201be655ff879a6379223c9e556da0e269f26d15 |
memory/1940-16-0x0000000000400000-0x000000000054E000-memory.dmp
memory/1940-19-0x0000000000400000-0x000000000054E000-memory.dmp
memory/1940-22-0x0000000000400000-0x000000000054E000-memory.dmp
memory/1940-26-0x0000000000400000-0x000000000054E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 0a09f354748324840a98a09a15172fb8 |
| SHA1 | 41dc1d5cb5f99590ea7b83516be4ca616707932a |
| SHA256 | 31a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d |
| SHA512 | f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8 |
memory/1940-29-0x0000000000400000-0x000000000054E000-memory.dmp
memory/1940-32-0x0000000000400000-0x000000000054E000-memory.dmp