d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
Size

1.1MB
MD5

074ee5c741762060d9ec905ce1f96634
SHA1

1adfa104174a82dd1a81fb374624d9dcf0cc563a
SHA256

d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df
SHA512

7131cce2647d87f05f5a32558937c4bf314ede2a586366c2a39ed3a3b7bf7294b6a718a034cbc6ccb39866d693a4107e6a01da03897cd348a770d6f59b539e1d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMS

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2996	svchcst.exe

Executes dropped EXE 6 IoCs

pid	Process
2996	svchcst.exe
1504	svchcst.exe
2100	svchcst.exe
2168	svchcst.exe
1364	svchcst.exe
1528	svchcst.exe

Loads dropped DLL 9 IoCs

pid	Process
2664	WScript.exe
2664	WScript.exe
872	WScript.exe
872	WScript.exe
2332	WScript.exe
524	WScript.exe
524	WScript.exe
596	WScript.exe
960	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
2996	svchcst.exe
2996	svchcst.exe
1504	svchcst.exe
1504	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
1364	svchcst.exe
1364	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2664	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	31
PID 2320 wrote to memory of 2664	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	31
PID 2320 wrote to memory of 2664	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	31
PID 2320 wrote to memory of 2664	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	31
PID 2320 wrote to memory of 872	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	30
PID 2320 wrote to memory of 872	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	30
PID 2320 wrote to memory of 872	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	30
PID 2320 wrote to memory of 872	2320	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	30
PID 2664 wrote to memory of 2996	2664	WScript.exe	33
PID 2664 wrote to memory of 2996	2664	WScript.exe	33
PID 2664 wrote to memory of 2996	2664	WScript.exe	33
PID 2664 wrote to memory of 2996	2664	WScript.exe	33
PID 872 wrote to memory of 1504	872	WScript.exe	34
PID 872 wrote to memory of 1504	872	WScript.exe	34
PID 872 wrote to memory of 1504	872	WScript.exe	34
PID 872 wrote to memory of 1504	872	WScript.exe	34
PID 1504 wrote to memory of 2332	1504	svchcst.exe	35
PID 1504 wrote to memory of 2332	1504	svchcst.exe	35
PID 1504 wrote to memory of 2332	1504	svchcst.exe	35
PID 1504 wrote to memory of 2332	1504	svchcst.exe	35
PID 2332 wrote to memory of 2100	2332	WScript.exe	36
PID 2332 wrote to memory of 2100	2332	WScript.exe	36
PID 2332 wrote to memory of 2100	2332	WScript.exe	36
PID 2332 wrote to memory of 2100	2332	WScript.exe	36
PID 2100 wrote to memory of 524	2100	svchcst.exe	37
PID 2100 wrote to memory of 524	2100	svchcst.exe	37
PID 2100 wrote to memory of 524	2100	svchcst.exe	37
PID 2100 wrote to memory of 524	2100	svchcst.exe	37
PID 2100 wrote to memory of 2356	2100	svchcst.exe	38
PID 2100 wrote to memory of 2356	2100	svchcst.exe	38
PID 2100 wrote to memory of 2356	2100	svchcst.exe	38
PID 2100 wrote to memory of 2356	2100	svchcst.exe	38
PID 524 wrote to memory of 2168	524	WScript.exe	39
PID 524 wrote to memory of 2168	524	WScript.exe	39
PID 524 wrote to memory of 2168	524	WScript.exe	39
PID 524 wrote to memory of 2168	524	WScript.exe	39
PID 2168 wrote to memory of 596	2168	svchcst.exe	40
PID 2168 wrote to memory of 596	2168	svchcst.exe	40
PID 2168 wrote to memory of 596	2168	svchcst.exe	40
PID 2168 wrote to memory of 596	2168	svchcst.exe	40
PID 2168 wrote to memory of 960	2168	svchcst.exe	41
PID 2168 wrote to memory of 960	2168	svchcst.exe	41
PID 2168 wrote to memory of 960	2168	svchcst.exe	41
PID 2168 wrote to memory of 960	2168	svchcst.exe	41
PID 596 wrote to memory of 1528	596	WScript.exe	42
PID 596 wrote to memory of 1528	596	WScript.exe	42
PID 596 wrote to memory of 1528	596	WScript.exe	42
PID 596 wrote to memory of 1528	596	WScript.exe	42
PID 960 wrote to memory of 1364	960	WScript.exe	43
PID 960 wrote to memory of 1364	960	WScript.exe	43
PID 960 wrote to memory of 1364	960	WScript.exe	43
PID 960 wrote to memory of 1364	960	WScript.exe	43

C:\Users\Admin\AppData\Local\Temp\d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
"C:\Users\Admin\AppData\Local\Temp\d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1364
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c547e53bc0a4683a8f97175b197eff83

SHA1
efee6e28a2f86c7d445984ee23e68c7f51a428c1

SHA256
f7009a0cd1d909089a0f7bbbb1218efc2f1e320b3c9fc1319ef5f5450b14c411

SHA512
c280698d86c8dba88fc895a116c9d7364b7fe13fceb8ee7c8ab996232e3149513b7fbd0989a33594d80e735431acc93b1100fc042c53d3a0e30ed2a24bb21b59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f9ee7b15759698db407c6816d7eb496d

SHA1
e43561605dd258542a290dbecc3fd4acc930e835

SHA256
56321ac70cb5cad30767e4e574ee08906d55fab984d3915e313bcf2b385c00da

SHA512
e2cc2c818cf498fd7e4ab4d48f6aa72f09eb9d18a48b01a2984de886815d5adf48b927aac6f625fe464996a0c9fcada3b18045a70a04ff41687dd92962c8d317

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b976b5677fa228526e5a2a593d30252

SHA1
6a3dd14f846b0287cd2ec266e833540b545e4d2c

SHA256
ee607eb29072d9a0f94f477b784adc7fb6761b49b595e85162f02dcd05666bbd

SHA512
7971c348b1cab49642191e0de5429fd00c4dacec96a76363330e53c3c48642365d21416dbc35b459b58a4a104c32a538759ab1f7759ae511dd6bed5373f1a282

Download Submit
memory/524-49-0x0000000003BA0000-0x0000000003CFF000-memory.dmp

Filesize
1.4MB

Download
memory/960-65-0x0000000004FD0000-0x000000000512F000-memory.dmp

Filesize
1.4MB

Download
memory/1364-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-5-0x0000000003EA0000-0x0000000003F10000-memory.dmp

Filesize
448KB

Download
memory/2320-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2332-33-0x0000000003CE0000-0x0000000003E3F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-20-0x00000000051C0000-0x000000000531F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download