d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df

Analysis

max time kernel
28s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
Size

1.1MB
MD5

074ee5c741762060d9ec905ce1f96634
SHA1

1adfa104174a82dd1a81fb374624d9dcf0cc563a
SHA256

d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df
SHA512

7131cce2647d87f05f5a32558937c4bf314ede2a586366c2a39ed3a3b7bf7294b6a718a034cbc6ccb39866d693a4107e6a01da03897cd348a770d6f59b539e1d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 12 IoCs

pid	Process
3888	svchcst.exe
4460	svchcst.exe
4308	svchcst.exe
4332	svchcst.exe
972	svchcst.exe
3056	svchcst.exe
4004	svchcst.exe
4556	svchcst.exe
2304	svchcst.exe
2240	svchcst.exe
3188	svchcst.exe
2036	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
3188	svchcst.exe
3188	svchcst.exe
3188	svchcst.exe
3188	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
4460	svchcst.exe
4460	svchcst.exe
4308	svchcst.exe
4308	svchcst.exe
4332	svchcst.exe
972	svchcst.exe
4332	svchcst.exe
972	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
4004	svchcst.exe
4004	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
4556	svchcst.exe
4556	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
3188	svchcst.exe
3188	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4864	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	89
PID 4508 wrote to memory of 4864	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	89
PID 4508 wrote to memory of 4864	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	89
PID 4508 wrote to memory of 3128	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	93
PID 4508 wrote to memory of 3128	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	93
PID 4508 wrote to memory of 3128	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	93
PID 4508 wrote to memory of 1584	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	91
PID 4508 wrote to memory of 1584	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	91
PID 4508 wrote to memory of 1584	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	91
PID 4508 wrote to memory of 3308	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	90
PID 4508 wrote to memory of 3308	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	90
PID 4508 wrote to memory of 3308	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	90
PID 4508 wrote to memory of 4536	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	88
PID 4508 wrote to memory of 4536	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	88
PID 4508 wrote to memory of 4536	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	88
PID 4508 wrote to memory of 4392	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	92
PID 4508 wrote to memory of 4392	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	92
PID 4508 wrote to memory of 4392	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	92
PID 4508 wrote to memory of 3236	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	130
PID 4508 wrote to memory of 3236	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	130
PID 4508 wrote to memory of 3236	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	130
PID 4508 wrote to memory of 1608	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	87
PID 4508 wrote to memory of 1608	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	87
PID 4508 wrote to memory of 1608	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	87
PID 4508 wrote to memory of 1696	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	95
PID 4508 wrote to memory of 1696	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	95
PID 4508 wrote to memory of 1696	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	95
PID 4508 wrote to memory of 2780	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	96
PID 4508 wrote to memory of 2780	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	96
PID 4508 wrote to memory of 2780	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	96
PID 4508 wrote to memory of 4564	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	97
PID 4508 wrote to memory of 4564	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	97
PID 4508 wrote to memory of 4564	4508	d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe	97
PID 4392 wrote to memory of 3888	4392	WScript.exe	99
PID 4392 wrote to memory of 3888	4392	WScript.exe	99
PID 4392 wrote to memory of 3888	4392	WScript.exe	99
PID 4864 wrote to memory of 4460	4864	WScript.exe	102
PID 4864 wrote to memory of 4460	4864	WScript.exe	102
PID 4864 wrote to memory of 4460	4864	WScript.exe	102
PID 3128 wrote to memory of 4308	3128	WScript.exe	100
PID 3128 wrote to memory of 4308	3128	WScript.exe	100
PID 3128 wrote to memory of 4308	3128	WScript.exe	100
PID 1696 wrote to memory of 4332	1696	WScript.exe	101
PID 1696 wrote to memory of 4332	1696	WScript.exe	101
PID 1696 wrote to memory of 4332	1696	WScript.exe	101
PID 3308 wrote to memory of 972	3308	WScript.exe	103
PID 3308 wrote to memory of 972	3308	WScript.exe	103
PID 3308 wrote to memory of 972	3308	WScript.exe	103
PID 2780 wrote to memory of 3056	2780	WScript.exe	104
PID 2780 wrote to memory of 3056	2780	WScript.exe	104
PID 2780 wrote to memory of 3056	2780	WScript.exe	104
PID 4564 wrote to memory of 4004	4564	WScript.exe	105
PID 4564 wrote to memory of 4004	4564	WScript.exe	105
PID 4564 wrote to memory of 4004	4564	WScript.exe	105
PID 4536 wrote to memory of 4556	4536	WScript.exe	107
PID 4536 wrote to memory of 4556	4536	WScript.exe	107
PID 4536 wrote to memory of 4556	4536	WScript.exe	107
PID 1584 wrote to memory of 2304	1584	WScript.exe	106
PID 1584 wrote to memory of 2304	1584	WScript.exe	106
PID 1584 wrote to memory of 2304	1584	WScript.exe	106
PID 3236 wrote to memory of 2240	3236	WScript.exe	108
PID 3236 wrote to memory of 2240	3236	WScript.exe	108
PID 3236 wrote to memory of 2240	3236	WScript.exe	108
PID 3236 wrote to memory of 3188	3236	WScript.exe	109

C:\Users\Admin\AppData\Local\Temp\d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe
"C:\Users\Admin\AppData\Local\Temp\d6c041beb73ddde50848feec4814bb861f20c71960441f378abd8bcc2c0114df.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3188
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4332
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2036
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2120
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:3964
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:4140
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:2060
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1168
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4004

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7f3dc81e89c42553e5041cdab27734c5

SHA1
f94ac034898da3754f83138ce7487324deb1afcb

SHA256
1fa7336ab31395ead97303fc269516f3a57be03bb10e4aced598893070e89791

SHA512
fe558d13ae3f4a808da4247b468c7881e4893ab37b10dc06f32d56d1dca5128b1dcf3526ae82120cfed493fd3c2e5d4a0d7585a71de77023173d8ea03162dce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
012bbff8b6b3af69d1aa77f5d81ef604

SHA1
a5fdc007289cc76499abe6c8cdd704c551326116

SHA256
aa6d070e40f4b611f4a205da1be4145e902bedc2c211723431cce67069080d3e

SHA512
3273d454f149ea7f4b37d811f63a648c25c9a0f7614bc0c66e5040be685373b4a920bd24a3883650f0fb2f7dfbfcb1563f705330a81433fbb00f826df83ed519

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a8863a999d1c451c1a44d2e6da55aed8

SHA1
732afc984647bced845cba1cf7675956a932eef8

SHA256
a0a0366579704f6ea57d10bb8f37bfa3e222a5940c49f7a1b26cef82ced54d27

SHA512
4ee0ae2d7adf519503b833c3d50b6b43b78c79a570b4df5c0f1c7e51754aa4b985719974002ee99621fe8976a909612a145374685bc45c7f4c8c44fac80016db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
18e16ca58908ca91f504a7a0a95eda7a

SHA1
6519e62253fe85da8e92c7181341db3571f5d0d0

SHA256
abd4ed2d0ba1c2e7ca4fded7bb24ce9a018f2d8ec6a3bc13829d45a7de143a8b

SHA512
ef60f51ab7d2426dc9c0a381b8f9abe4752d840c05e21a9bb147f6f904b3b22aafe5d0f3d422a30ceb999fab1c7b3a0729f0398b031d78950549c751750d7755

Download Submit
memory/452-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/452-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/972-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/972-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2304-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2304-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3188-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3888-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3888-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3964-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3964-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4004-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4004-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4308-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4308-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4332-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4332-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4460-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4460-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4508-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4508-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4556-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4556-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download