0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347

Analysis

max time kernel
91s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
Size

1.1MB
MD5

2776c677ab8e79801a0d55a16dffb755
SHA1

0b5aa9e75ca8ffccf7d2d4aa883ae54f17aa793b
SHA256

0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347
SHA512

8e15a49488fba8f3c12f7186c4d85e52a3daa4a31e9294b6fa0cfb553114660c4a98a27798d3899501596de61d7befa9e4cec97910a348c228ffd381cf53d689
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMI

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1012	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1012	svchcst.exe
2756	svchcst.exe
5116	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
1012	svchcst.exe
1012	svchcst.exe
2756	svchcst.exe
5116	svchcst.exe
2756	svchcst.exe
5116	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1504	4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe	85
PID 4780 wrote to memory of 1504	4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe	85
PID 4780 wrote to memory of 1504	4780	0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe	85
PID 1504 wrote to memory of 1012	1504	WScript.exe	89
PID 1504 wrote to memory of 1012	1504	WScript.exe	89
PID 1504 wrote to memory of 1012	1504	WScript.exe	89
PID 1012 wrote to memory of 3304	1012	svchcst.exe	90
PID 1012 wrote to memory of 3304	1012	svchcst.exe	90
PID 1012 wrote to memory of 3304	1012	svchcst.exe	90
PID 1012 wrote to memory of 4868	1012	svchcst.exe	91
PID 1012 wrote to memory of 4868	1012	svchcst.exe	91
PID 1012 wrote to memory of 4868	1012	svchcst.exe	91
PID 4868 wrote to memory of 2756	4868	WScript.exe	95
PID 4868 wrote to memory of 2756	4868	WScript.exe	95
PID 4868 wrote to memory of 2756	4868	WScript.exe	95
PID 3304 wrote to memory of 5116	3304	WScript.exe	96
PID 3304 wrote to memory of 5116	3304	WScript.exe	96
PID 3304 wrote to memory of 5116	3304	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
"C:\Users\Admin\AppData\Local\Temp\0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5116
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fef0d96d5733a47ed204070c147eb05e

SHA1
a7ef265811f0f3eb43a8e0097337bb4426ffbe3a

SHA256
9e227542fdcfe57be92fff50116903b5bfcc4719eca0c62b298bfbf68fc871d3

SHA512
5753a860a9a3b841422d879f6aca84d9057dccdf6965ae4c3c35fbf0ad41d772edca94a1b4f2f2130bb7273622bb9b563ee1889908db8935d8c5106ea2503856

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b77057e5f2daf7e7a5b1b53665eecf40

SHA1
8bb1068771a51bdf6349447327918cbd3b0d71eb

SHA256
4622435fba63d581aee1ec22acb118fc1df205abe57c7768261185de9475f9f9

SHA512
a92d158553085071e17e1d4acc8fa0561b7640f1b7a1e10078965afbe641d84d0d780ffdf975fe43f649ae9ebabc6e3267277ed3d90386256d42755c9749e7f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
538e88a63a617c2438546312cfd9b8d6

SHA1
3e2d0fa66221d11ae89ddd62c27bdc3a373885d4

SHA256
fd9c1bf7a3a2ae77c2ab2f7b2db172f23b123954f8c063ef0c29e8e9b30db29d

SHA512
ed53237066abaca29dd0ff1a7de3618e9f738c1565a73f838fc51716b1d95d8551b9ba299d6360b34b7d1d8ffab3696bee8870cf25395fafbeec352e29e891a5

Download Submit
memory/4780-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download