672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9

General

Target

672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
Size

745KB
MD5

117693e11a24c6ede9ec1d9df7c25be8
SHA1

0183377986b7608eaa3998e6098354c73772e49c
SHA256

672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9
SHA512

812ec76cce0ef203e65bf94f9e6b550f4f98ad5beab88df05157a2f67d10ae8b7afeb5c047cec29a5ad63062d34c04a28e93bc546ac7e871428bb5149b20571a
SSDEEP

12288:I5fftbKFi/se+UmC7v98vzokOa4zg8NGJlcgxSSXTetB+EcvACuV0o:I5fl+I/VH7v98vzokOacUlwSXC+EcvAz

Score

7^/10

discovery persistence vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe

Executes dropped EXE 1 IoCs

pid	Process
2220	svchcst.exe

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3540-0-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-1-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/files/0x00040000000227b2-11.dat	vmprotect
behavioral2/memory/2220-22-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-24-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-28-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-31-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-35-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-38-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-41-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect
behavioral2/memory/3540-44-0x0000000000400000-0x000000000062E000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
2220	svchcst.exe
2220	svchcst.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 5532	3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe	89
PID 3540 wrote to memory of 5532	3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe	89
PID 3540 wrote to memory of 5532	3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe	89
PID 3540 wrote to memory of 4724	3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe	92
PID 3540 wrote to memory of 4724	3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe	92
PID 3540 wrote to memory of 4724	3540	672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe	92
PID 4460 wrote to memory of 2220	4460	cmd.exe	93
PID 4460 wrote to memory of 2220	4460	cmd.exe	93
PID 4460 wrote to memory of 2220	4460	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe
"C:\Users\Admin\AppData\Local\Temp\672aa1917fc0e2b6573a2e133c0471ea2166f65d06a16d4d35745d5e3c150ed9.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
de8ace08c54d964f6828781de2bb9c83

SHA1
a10ad1ccffa403977b263b625cbee4993260d9af

SHA256
d6d9a50a109f2243042dc7106af0d7297db4eddb8a26c3db54e9ba6a3b8b5be7

SHA512
d33970a8c40e71e0cf3bce9063e826b4bb8d5c6af0f907fa43e13bdc474e8f926d6c2d81a392d28f61aebe4ce91b6847a1ef9f64148c5ea252c7c32ae4e2cf68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
132061ba9a95393acb5caa356ca12e72

SHA1
558d20ac55b3ffa05deecc9473d691276e5e941e

SHA256
87958b20dfb1d4aa02a27219962c367b5bdc002a1a52e6f2a3075952967cf418

SHA512
000a454231b9e406eb23d25be48f3a0e728680078103127cc4e1c88cea5f8256cfad894e580487f6ace4abae27c9ce027a7b50325f2f81a6749479e62757f85e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
745KB

MD5
749328f37d69acaa2c7de0f40facc4eb

SHA1
4bae557fc42c1b61ac5db3f1e0c0346692cde391

SHA256
42bbb2716f311a9bd6387ef49395bd0ad1a341ecbf099fc0a66a624f48a09c89

SHA512
ed25db1a1a12cfd772d6156d878c091bb62e99ef202eb51bffb0e6bf046def1ef535c613f0a4bf920db1c4c07efd2bd15c5171bd8889bcc9afbde1459f959d24

Download Submit
memory/2220-22-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-0-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-24-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-28-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-31-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-35-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-1-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-38-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-41-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3540-44-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads