8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5

Analysis

max time kernel
17s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
Size

1.1MB
MD5

5fb49a79a25f5242c68dc4a62d5fe347
SHA1

71f00c54d8ef94961384770cc6e392ff4b54b76d
SHA256

8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5
SHA512

d16b007f9ff3120eb363bac8767ef17830252250fce4563a41ae0c50b526ffa4c4b9f8a8ac9dafdf8f7117144a9a8252ea266c36cf418d22455ec2cabf0708d1
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q+:acallSllG4ZM7QzM1

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
220	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
2228	svchcst.exe
220	svchcst.exe
4320	svchcst.exe
5020	svchcst.exe
4520	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe
220	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
220	svchcst.exe
2228	svchcst.exe
220	svchcst.exe
2228	svchcst.exe
4320	svchcst.exe
4320	svchcst.exe
5020	svchcst.exe
5020	svchcst.exe
4520	svchcst.exe
4520	svchcst.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1108	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	92
PID 3544 wrote to memory of 1108	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	92
PID 3544 wrote to memory of 1108	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	92
PID 3544 wrote to memory of 2304	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	93
PID 3544 wrote to memory of 2304	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	93
PID 3544 wrote to memory of 2304	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	93
PID 3544 wrote to memory of 2540	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	89
PID 3544 wrote to memory of 2540	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	89
PID 3544 wrote to memory of 2540	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	89
PID 3544 wrote to memory of 2636	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	90
PID 3544 wrote to memory of 2636	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	90
PID 3544 wrote to memory of 2636	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	90
PID 3544 wrote to memory of 2240	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	91
PID 3544 wrote to memory of 2240	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	91
PID 3544 wrote to memory of 2240	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	91
PID 3544 wrote to memory of 4976	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	87
PID 3544 wrote to memory of 4976	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	87
PID 3544 wrote to memory of 4976	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	87
PID 3544 wrote to memory of 1004	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	86
PID 3544 wrote to memory of 1004	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	86
PID 3544 wrote to memory of 1004	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	86
PID 3544 wrote to memory of 728	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	97
PID 3544 wrote to memory of 728	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	97
PID 3544 wrote to memory of 728	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	97
PID 3544 wrote to memory of 3248	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	96
PID 3544 wrote to memory of 3248	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	96
PID 3544 wrote to memory of 3248	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	96
PID 3544 wrote to memory of 1460	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	95
PID 3544 wrote to memory of 1460	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	95
PID 3544 wrote to memory of 1460	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	95
PID 3544 wrote to memory of 3012	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	94
PID 3544 wrote to memory of 3012	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	94
PID 3544 wrote to memory of 3012	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	94
PID 3544 wrote to memory of 2512	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	88
PID 3544 wrote to memory of 2512	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	88
PID 3544 wrote to memory of 2512	3544	8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe	88
PID 728 wrote to memory of 2228	728	WScript.exe	101
PID 728 wrote to memory of 2228	728	WScript.exe	101
PID 728 wrote to memory of 2228	728	WScript.exe	101
PID 3012 wrote to memory of 220	3012	WScript.exe	102
PID 3012 wrote to memory of 220	3012	WScript.exe	102
PID 3012 wrote to memory of 220	3012	WScript.exe	102
PID 1460 wrote to memory of 4320	1460	WScript.exe	103
PID 1460 wrote to memory of 4320	1460	WScript.exe	103
PID 1460 wrote to memory of 4320	1460	WScript.exe	103
PID 3248 wrote to memory of 5020	3248	WScript.exe	104
PID 3248 wrote to memory of 5020	3248	WScript.exe	104
PID 3248 wrote to memory of 5020	3248	WScript.exe	104
PID 2240 wrote to memory of 4520	2240	WScript.exe	105
PID 2240 wrote to memory of 4520	2240	WScript.exe	105
PID 2240 wrote to memory of 4520	2240	WScript.exe	105

C:\Users\Admin\AppData\Local\Temp\8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe
"C:\Users\Admin\AppData\Local\Temp\8332223587ad3dcef7c7cf80ffa1e44626a162759363cf3f2ecb67a8e609a6d5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2304
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:220
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2228
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
259649e3a60f69b8330737e407d1786b

SHA1
98adb423377ac228ee1be8bf706c9875ca94426b

SHA256
1864e13fcd25c0818ec8d96da622d0a4500d3fd771c306541a00c314a3ced334

SHA512
e5e122840817867859daaea10bc3f3fa6b9b3e6c4dce429e44e48500e5148073ed16aa00756df33cba61e1ca85048e6ee962fadffc00e52bf556c368b998c269

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
de754e73dcd7d403852bb436570049fd

SHA1
cbb9eea076fbf18410ebcecfbfa886a8357082ca

SHA256
10743e3d55a51b5e3ffca2d2e5dde4626ae32c61f8ee65cd1ba3d89185e1c4eb

SHA512
b7b766859cdd78ad75665459e2a8565d7626df40356f90a4c7df53ca41430e14bdf45b87bdaaa59227451dc6238a77d0c15aced0f6d7a86b4ecb5043557934ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9de7607e6d52c4c01c02cb530c63a6c

SHA1
479121ce6f8d27aece0c23b3466604e9ee41e346

SHA256
2e6302d319a11f2db765c14b2e1102c666b233404c74578e44bef48c9fa7aec0

SHA512
96a53a19094c84cd27439dea29b039bfbc584f961af56f450f890427b50677a8482f6f3b3a4c60d870cf40dad88f8c0dd04fb692486338610d9a7865fae69dd8

Download Submit
memory/220-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/220-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2228-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3224-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3224-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3544-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3544-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4232-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4320-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4520-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4520-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5020-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download