c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
Size

1.1MB
MD5

9812e95215aed15de740ace8eede2357
SHA1

3aaa0bbbb9d512f6e63e4e5b2231bcd40582f910
SHA256

c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2
SHA512

d92e2961132d2b1e112ec5d0b5949f772eea736fe8f3753686e464f2f5aec56555c51d1667ee4b780c90ef348d5b898962b013b1cc95718e718142c88a657d22
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qp:acallSllG4ZM7QzMq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1128	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1128	svchcst.exe
4492	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
4492	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
4492	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 320	4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe	86
PID 4512 wrote to memory of 320	4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe	86
PID 4512 wrote to memory of 320	4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe	86
PID 4512 wrote to memory of 3092	4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe	85
PID 4512 wrote to memory of 3092	4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe	85
PID 4512 wrote to memory of 3092	4512	c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe	85
PID 320 wrote to memory of 4492	320	WScript.exe	89
PID 320 wrote to memory of 4492	320	WScript.exe	89
PID 320 wrote to memory of 4492	320	WScript.exe	89
PID 3092 wrote to memory of 1128	3092	WScript.exe	88
PID 3092 wrote to memory of 1128	3092	WScript.exe	88
PID 3092 wrote to memory of 1128	3092	WScript.exe	88

C:\Users\Admin\AppData\Local\Temp\c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe
"C:\Users\Admin\AppData\Local\Temp\c91d512a7d7b08354012e6ba15e6d5f08c613cbcec6b48cddbca89f6650486a2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1128
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bc6b424c6827691a8d76506573317b97

SHA1
c6684cbde90b4375d24a521cb20f0d9fd9d66b88

SHA256
20e1fd6968a24b96121310f492fa53d2b56941be9b6a0bf0aa0e5d2e4b11694e

SHA512
69d70e55bb7d62a0b4976f2b80947238002ce62ad3de67f173044e82efb3e9fe7362d0503f924f85af5f1ea8970bed78abcdaad7ed48a623ab4e5b376753c8d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a2325b0e72a247838df6da4594ccf71a

SHA1
93e7bac4f2aecc6669521119572af1ab727bd729

SHA256
59b27516503955beedad5aa8daa5e2e42c64aea0e0093219772cceb1e513bcfc

SHA512
cceb0483e53e2306d6a079323555dbfe0faebb2d2266f61d504b26776a435560134c5e04750b8ae4179b4b0558a5092a9d4f7fce5feaa0defb309afa764c95c4

Download Submit
memory/1128-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1128-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4492-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4492-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4512-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4512-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download