249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 18:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
Size

1.1MB
MD5

afd34b911de8cf80608c8de4e86854f8
SHA1

8e7df120d04ae109f1882a7116851fb1732ec2a5
SHA256

249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa
SHA512

2886fd0e60b30e9e25b52ea7edd511b447b7d65719f81008917c06a6e3ab807fa65004697e45ca50687b853407056d69e890e0a106bf172bea37064c51f0b07f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1664	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3840	svchcst.exe
1664	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
3840	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
3840	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4492	4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	87
PID 4380 wrote to memory of 4492	4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	87
PID 4380 wrote to memory of 4492	4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	87
PID 4380 wrote to memory of 3660	4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	88
PID 4380 wrote to memory of 3660	4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	88
PID 4380 wrote to memory of 3660	4380	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	88
PID 4492 wrote to memory of 3840	4492	WScript.exe	90
PID 4492 wrote to memory of 3840	4492	WScript.exe	90
PID 4492 wrote to memory of 3840	4492	WScript.exe	90
PID 3660 wrote to memory of 1664	3660	WScript.exe	91
PID 3660 wrote to memory of 1664	3660	WScript.exe	91
PID 3660 wrote to memory of 1664	3660	WScript.exe	91

C:\Users\Admin\AppData\Local\Temp\249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
"C:\Users\Admin\AppData\Local\Temp\249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f3320c1a6a76f4730f1a41d067402926

SHA1
cceef10753fd0ea0dba21eb7a0c85ad7fc6c78ff

SHA256
7eb5727ec5ca05d31903ffaeaabb311063bc0ff2b2c0e341c6252271cdb8e562

SHA512
e8745e0710784abd4b9b5d4033b49dc66a138e74f086d3f923fa12aaf1ae0001630d807e25bfac2f3136d22ab0b110ffd830923014fec6a0816023aecdc80d57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e1e96af45da95bee59dc50b2f83f071f

SHA1
8e61a8e647ef2be9084ef3a869e43d8d5139d856

SHA256
6cf3377fdcfa2fa9630aef8d138cd221d9e677626196b6221706859cf2043fac

SHA512
288b68b66572e92d853758fcbf23e87980a7f41e60762870904c132fba1042c89a47d2ed56d163aebe73565f70675a1a35e20106d297c02aa194cf449f2723f9

Download Submit
memory/1664-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3840-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3840-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4380-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4380-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download