11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8

General

Target

11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
Size

1.1MB
MD5

ea70886e83770e19d38ca5a949e0bb51
SHA1

d357f7cab0cbca4ba61d9d7247c801464ebb52cf
SHA256

11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8
SHA512

3417dd69c7e1a6e9ae3a81f596452266a5d7b3f546ea48d60790f1dabd9e9b990780a620b4ad6e7497214922f41bb84b4ad424c1f822324fb70037c61d9c5609
SSDEEP

24576:4qg8zeKPja85nd0T9RAN0P30mqym6hzsGoRlG4qqjwg1mRWRu1:44zeI/0XqymkulG4qmxmiu1

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2760	2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe	30
PID 2208 wrote to memory of 2760	2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe	30
PID 2208 wrote to memory of 2760	2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe	30
PID 2208 wrote to memory of 2760	2208	11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe	30

C:\Users\Admin\AppData\Local\Temp\11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe
"C:\Users\Admin\AppData\Local\Temp\11604a6c8405d73c946f32f36aca33025fcb2a77ed50ab26a4b2197ad8ab8dd8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
5611518085f0e601b7af262b73ca1e21

SHA1
679e284b4e15030b11e9fcab9e54090f6128c6c2

SHA256
8e59e3dc5427519534af0cfb2713d94388d03240f4f6d2c9ec6a13db1d9812ab

SHA512
0fc4c396d00386c7942366bab8bf30b59723f4a8b0d5bfe00dbc4a74df13acb68cd6616694a81de199bcd2409ff41b6dcaca931614165deefadd728350c52bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
865d3b5e2ecfe05fd08b416493ad1033

SHA1
5ce7caef99646ee80a75b61095f728539f92484e

SHA256
27e085e3d1e962e9137220a14be5dc2816af4508f2dfed8ed97e9327f8e081cd

SHA512
54a3b53a4cac0cbb220bfab5043e47efd5882a9c5e4166304b845136c9148992629d76058222d831111e58817c581929c5cdfbe83a1988b78a8ae8d3cfd178e5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3e1bede2f1c64eb0d394dbfe98401045

SHA1
105b0d04ea57b45d08bab22ab3e56b04f13c2dac

SHA256
5f9a1e9bad404d789cb42459f926731d6ae7e64e035760bffb4f25cbfaacaa08

SHA512
dd06de385712a7c1e4515ac4dc5c02c00cbb5eff4712411f26da1017c64d4cb1c7da6c536f9a99978addc5837500f3849e3e7b55e62e5b10b61b104055e7368e

Download Submit
memory/2208-15-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2208-0-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-16-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2208-19-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-20-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2208-21-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2208-25-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-28-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-32-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-1-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-35-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-38-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2208-41-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads