5aef8d5a927217e341f20374046184867dc0dd1d2986238aca04aa9cae73bfab

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 22:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6273337402C9D4F6EA37F137515D13DF.exe
Size

4.0MB
MD5

6273337402c9d4f6ea37f137515d13df
SHA1

27d2d13abd36d1100b98f09234d72a02d2a2aa7e
SHA256

5aef8d5a927217e341f20374046184867dc0dd1d2986238aca04aa9cae73bfab
SHA512

aedc84f2602305016d3370fb53b1bf9e623a79eefe95fe98a7e776101e56e78d0b1b0855999d7bf9097b02b30935421b5d7167fc5131e6b8a8ad1b1f43963c52
SSDEEP

49152:dBKwNr3/cfrT4WGLZZbHsT50DoiN1jPbNqY3tDKGSoj/p4aotf+pIixhIGGfWN+3:3PNr3/SvmaT5TIjPRqTajo4iQKJf416V

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	6273337402C9D4F6EA37F137515D13DF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	providercomponentCommonsvc.exe

Executes dropped EXE 2 IoCs

pid	Process
368	providercomponentCommonsvc.exe
4456	dllhost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe	providercomponentCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\6cb0b6c459d5d3	providercomponentCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\explorer.exe	providercomponentCommonsvc.exe
File opened for modification	C:\Windows\assembly\explorer.exe	providercomponentCommonsvc.exe
File created	C:\Windows\assembly\7a0fd90576e088	providercomponentCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6273337402C9D4F6EA37F137515D13DF.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	6273337402C9D4F6EA37F137515D13DF.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	providercomponentCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe
368	providercomponentCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	providercomponentCommonsvc.exe
Token: SeDebugPrivilege	4456	dllhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4772	5100	6273337402C9D4F6EA37F137515D13DF.exe	86
PID 5100 wrote to memory of 4772	5100	6273337402C9D4F6EA37F137515D13DF.exe	86
PID 5100 wrote to memory of 4772	5100	6273337402C9D4F6EA37F137515D13DF.exe	86
PID 4772 wrote to memory of 3500	4772	WScript.exe	87
PID 4772 wrote to memory of 3500	4772	WScript.exe	87
PID 4772 wrote to memory of 3500	4772	WScript.exe	87
PID 3500 wrote to memory of 368	3500	cmd.exe	89
PID 3500 wrote to memory of 368	3500	cmd.exe	89
PID 368 wrote to memory of 1576	368	providercomponentCommonsvc.exe	92
PID 368 wrote to memory of 1576	368	providercomponentCommonsvc.exe	92
PID 1576 wrote to memory of 2512	1576	cmd.exe	94
PID 1576 wrote to memory of 2512	1576	cmd.exe	94
PID 1576 wrote to memory of 2320	1576	cmd.exe	95
PID 1576 wrote to memory of 2320	1576	cmd.exe	95
PID 1576 wrote to memory of 4456	1576	cmd.exe	96
PID 1576 wrote to memory of 4456	1576	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\6273337402C9D4F6EA37F137515D13DF.exe
"C:\Users\Admin\AppData\Local\Temp\6273337402C9D4F6EA37F137515D13DF.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrowserPerfsvc\4bqNHkxVghe2TiF.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BrowserPerfsvc\q31qSrX5.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\BrowserPerfsvc\providercomponentCommonsvc.exe
      "C:\BrowserPerfsvc/providercomponentCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zPAotN7xa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2512
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2320
      - C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BrowserPerfsvc\4bqNHkxVghe2TiF.vbe

Filesize
201B

MD5
0b74fdfd3f63fdbb154fa4f93436c48f

SHA1
a48c77479644ac40c29eb9805832285342ecf8ca

SHA256
18e1a6e20ff7582050c27244c79b7ab0e8a89c7d197b06303adb1e1849145924

SHA512
122ec5e1f0086cf9ff449ee9d2ca83d35733bed04207a62dd4386f82f923d0bf194d406b6700fae5afb54758ce49fc2990ea83a1f6539e050eb8abae899aab18

Download Submit
C:\BrowserPerfsvc\providercomponentCommonsvc.exe

Filesize
3.5MB

MD5
3a69eb57f9144b055097fa40d6a137a8

SHA1
975b59ac3f3dc04694f87788e606cdd4e83544d2

SHA256
d884102a60d711a7f70d8dfc73d987fd7c71fb0f3c1084249abd27ac07d485f7

SHA512
31dabeb3706d0abce1bf58f84807b6fee5a595347be52666beaf5f90062751803e8d98c417d133529b58e90029c6dbd0aa3f3a033282fada5e53cbb4b67ed3ee

Download Submit
C:\BrowserPerfsvc\q31qSrX5.bat

Filesize
107B

MD5
3425470a8531a334d1742ec8e7a63183

SHA1
d7ddb38b925dbce599c722217b6826ae3671f8b5

SHA256
fe08939d2b50836ecdef2de54a85c22e8ab21d23caf13314da9e28a7665159b9

SHA512
8f0faf67f9ab97623531cb552af64d9e3f28fb1cdd2ad9470e86207dd3ea4e7828b5078d7cbe7ba6e4fbf7dc14da3e9ac111d326131a0e8b4484072e0dd1c784

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zPAotN7xa.bat

Filesize
209B

MD5
001d5af99e93f7e4c0cc25980efbac79

SHA1
b1ba4d0d784c5e51c9f84725f0010f224115b11b

SHA256
13095d9394b051a01a23c2e7deb9dc6e4b72ef797a9e0745abe5c16971a3efd7

SHA512
31b21dbb1b8befbeba27d37bcbdced6afc52aabe75fa749f9f4711bd89278b34bf4c4e0a7c56626ee9fe7e67d6f18b68b1de3ef06926cdd55c32d5155567ef54

Download Submit
memory/368-41-0x000000001BD80000-0x000000001BD8E000-memory.dmp

Filesize
56KB

Download
memory/368-45-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/368-19-0x0000000003300000-0x000000000331C000-memory.dmp

Filesize
112KB

Download
memory/368-20-0x000000001C320000-0x000000001C370000-memory.dmp

Filesize
320KB

Download
memory/368-26-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/368-28-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download
memory/368-30-0x000000001BD40000-0x000000001BD4E000-memory.dmp

Filesize
56KB

Download
memory/368-34-0x000000001BD70000-0x000000001BD80000-memory.dmp

Filesize
64KB

Download
memory/368-32-0x000000001BD90000-0x000000001BDA2000-memory.dmp

Filesize
72KB

Download
memory/368-36-0x000000001BEF0000-0x000000001BF06000-memory.dmp

Filesize
88KB

Download
memory/368-38-0x000000001C370000-0x000000001C382000-memory.dmp

Filesize
72KB

Download
memory/368-24-0x000000001BD50000-0x000000001BD68000-memory.dmp

Filesize
96KB

Download
memory/368-12-0x00007FFF123E3000-0x00007FFF123E5000-memory.dmp

Filesize
8KB

Download
memory/368-39-0x000000001C8C0000-0x000000001CDE8000-memory.dmp

Filesize
5.2MB

Download
memory/368-43-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

Filesize
64KB

Download
memory/368-15-0x000000001BD00000-0x000000001BD26000-memory.dmp

Filesize
152KB

Download
memory/368-47-0x000000001C3F0000-0x000000001C44A000-memory.dmp

Filesize
360KB

Download
memory/368-22-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/368-17-0x00000000019A0000-0x00000000019AE000-memory.dmp

Filesize
56KB

Download
memory/368-51-0x000000001C390000-0x000000001C3A0000-memory.dmp

Filesize
64KB

Download
memory/368-53-0x000000001C3A0000-0x000000001C3AE000-memory.dmp

Filesize
56KB

Download
memory/368-55-0x000000001C3D0000-0x000000001C3E8000-memory.dmp

Filesize
96KB

Download
memory/368-57-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

Filesize
48KB

Download
memory/368-59-0x000000001C4A0000-0x000000001C4EE000-memory.dmp

Filesize
312KB

Download
memory/368-49-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

Filesize
56KB

Download
memory/368-76-0x000000001CDF0000-0x000000001CEBD000-memory.dmp

Filesize
820KB

Download
memory/368-13-0x0000000000E40000-0x00000000011CC000-memory.dmp

Filesize
3.5MB

Download
memory/368-77-0x000000001CEC0000-0x000000001D069000-memory.dmp

Filesize
1.7MB

Download
memory/4456-104-0x000000001C380000-0x000000001C44D000-memory.dmp

Filesize
820KB

Download