0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347

Analysis

max time kernel
32s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
Size

1.1MB
MD5

2776c677ab8e79801a0d55a16dffb755
SHA1

0b5aa9e75ca8ffccf7d2d4aa883ae54f17aa793b
SHA256

0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347
SHA512

8e15a49488fba8f3c12f7186c4d85e52a3daa4a31e9294b6fa0cfb553114660c4a98a27798d3899501596de61d7befa9e4cec97910a348c228ffd381cf53d689
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMI

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	svchcst.exe

Executes dropped EXE 6 IoCs

pid	Process
2800	svchcst.exe
2344	svchcst.exe
2960	svchcst.exe
1688	svchcst.exe
2520	svchcst.exe
1060	svchcst.exe

Loads dropped DLL 9 IoCs

pid	Process
2712	WScript.exe
2712	WScript.exe
2652	WScript.exe
2652	WScript.exe
2964	WScript.exe
2248	WScript.exe
2008	WScript.exe
2008	WScript.exe
2248	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
2800	svchcst.exe
2800	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2712	2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe	29
PID 2224 wrote to memory of 2712	2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe	29
PID 2224 wrote to memory of 2712	2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe	29
PID 2224 wrote to memory of 2712	2224	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe	29
PID 2712 wrote to memory of 2800	2712	WScript.exe	31
PID 2712 wrote to memory of 2800	2712	WScript.exe	31
PID 2712 wrote to memory of 2800	2712	WScript.exe	31
PID 2712 wrote to memory of 2800	2712	WScript.exe	31
PID 2800 wrote to memory of 2652	2800	svchcst.exe	32
PID 2800 wrote to memory of 2652	2800	svchcst.exe	32
PID 2800 wrote to memory of 2652	2800	svchcst.exe	32
PID 2800 wrote to memory of 2652	2800	svchcst.exe	32
PID 2800 wrote to memory of 2692	2800	svchcst.exe	33
PID 2800 wrote to memory of 2692	2800	svchcst.exe	33
PID 2800 wrote to memory of 2692	2800	svchcst.exe	33
PID 2800 wrote to memory of 2692	2800	svchcst.exe	33
PID 2652 wrote to memory of 2344	2652	WScript.exe	34
PID 2652 wrote to memory of 2344	2652	WScript.exe	34
PID 2652 wrote to memory of 2344	2652	WScript.exe	34
PID 2652 wrote to memory of 2344	2652	WScript.exe	34
PID 2344 wrote to memory of 2964	2344	svchcst.exe	35
PID 2344 wrote to memory of 2964	2344	svchcst.exe	35
PID 2344 wrote to memory of 2964	2344	svchcst.exe	35
PID 2344 wrote to memory of 2964	2344	svchcst.exe	35
PID 2964 wrote to memory of 2960	2964	WScript.exe	36
PID 2964 wrote to memory of 2960	2964	WScript.exe	36
PID 2964 wrote to memory of 2960	2964	WScript.exe	36
PID 2964 wrote to memory of 2960	2964	WScript.exe	36
PID 2960 wrote to memory of 2248	2960	svchcst.exe	37
PID 2960 wrote to memory of 2248	2960	svchcst.exe	37
PID 2960 wrote to memory of 2248	2960	svchcst.exe	37
PID 2960 wrote to memory of 2248	2960	svchcst.exe	37
PID 2248 wrote to memory of 1688	2248	WScript.exe	38
PID 2248 wrote to memory of 1688	2248	WScript.exe	38
PID 2248 wrote to memory of 1688	2248	WScript.exe	38
PID 2248 wrote to memory of 1688	2248	WScript.exe	38
PID 1688 wrote to memory of 2008	1688	svchcst.exe	39
PID 1688 wrote to memory of 2008	1688	svchcst.exe	39
PID 1688 wrote to memory of 2008	1688	svchcst.exe	39
PID 1688 wrote to memory of 2008	1688	svchcst.exe	39
PID 2008 wrote to memory of 2520	2008	WScript.exe	40
PID 2008 wrote to memory of 2520	2008	WScript.exe	40
PID 2008 wrote to memory of 2520	2008	WScript.exe	40
PID 2008 wrote to memory of 2520	2008	WScript.exe	40
PID 2248 wrote to memory of 1060	2248	WScript.exe	41
PID 2248 wrote to memory of 1060	2248	WScript.exe	41
PID 2248 wrote to memory of 1060	2248	WScript.exe	41
PID 2248 wrote to memory of 1060	2248	WScript.exe	41

C:\Users\Admin\AppData\Local\Temp\0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
"C:\Users\Admin\AppData\Local\Temp\0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fd385852946bf4105186e88d22994075

SHA1
4e9b4da2f6a2c0db97c34b57322d718dc49695fc

SHA256
ad11487e0da169a8c63f7b87b8b22a4e87f42af971b5d2e03c2f1f81dfad249d

SHA512
452867bad71bf4f5057f5a5dd06505fdaf720be88e385f8bd2785436bfd2123a7d849fb5a10c4f25558c37272ca2e3820f9abe139ea05701ce2b2fe93524a104

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
10446ede5c5453f9b654ea3e34045426

SHA1
28d00f0dc679bd7041e090975be7173699ea8300

SHA256
880664d94df92dc818961aab93989d3b61e54f373a7828dfc28bd3fbe947431f

SHA512
e726a3a61968bcd450e88ef77b9b8719200ce617b42316401c0d047c78d629b3c04e01c7bae2c9b8c9d62f7102fdedc63a9c58103c035a2223218f24d26a0b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f9e8976b0f859edf24a7adff1fc7d284

SHA1
99a0e82342867c32c721a72f928d5b9fedd4b3f6

SHA256
640e207c278d6a619d8d91c2efa0401256518298587f85d7c03e57f8ff87ce4f

SHA512
bd02671cf4a9d8ab6696f003e8b8eefa3d4a76a0d724bfaa17a1ba4d33c9136086636a024f9943bda530e8c6c8f32537cf1d605347dbb3f13e5dcda400a4fa19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fc4d1291c634aeb080a714fb6b34a648

SHA1
a3ea1a68450c8610f6616441f43d5512dd246126

SHA256
e317dcfe0be99a920ad2f575248c75e06806ed6a578d1e62ff00b92020a1a701

SHA512
9cbbfbbe3974846480bc7aac67197fe843539b839c103f1cff127fa7ed7b11fededde4314d6e9ba52472e681bfec85e2555c33b00d24084dfa77f76673efaf15

Download Submit
memory/2224-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download