63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
Size

1.1MB
MD5

b8fefb2d72486ad1c055fec53570445c
SHA1

e16a416fbf9d23b2232ef31c2d3359dd5a1d4814
SHA256

63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c
SHA512

f6f8eec6491e1c00aafcf16c4a393a21b87ba2b62be658224c85890086f664ce31655183e2b74778ed52bd538a49c3924a399f18d64d1105865014cd8b684aac
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q6:acallSllG4ZM7QzMp

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1156	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1156	svchcst.exe
4896	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
1156	svchcst.exe
1156	svchcst.exe
4896	svchcst.exe
4896	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4876	3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe	86
PID 3576 wrote to memory of 4876	3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe	86
PID 3576 wrote to memory of 4876	3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe	86
PID 3576 wrote to memory of 2120	3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe	87
PID 3576 wrote to memory of 2120	3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe	87
PID 3576 wrote to memory of 2120	3576	63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe	87
PID 2120 wrote to memory of 4896	2120	WScript.exe	89
PID 2120 wrote to memory of 4896	2120	WScript.exe	89
PID 2120 wrote to memory of 4896	2120	WScript.exe	89
PID 4876 wrote to memory of 1156	4876	WScript.exe	90
PID 4876 wrote to memory of 1156	4876	WScript.exe	90
PID 4876 wrote to memory of 1156	4876	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe
"C:\Users\Admin\AppData\Local\Temp\63357c0ff474b1181608caa4e391a42901e6ce5c58fbc3c94425d4326d70d96c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
165a16b6d4251d7f678b10ed9ab2af28

SHA1
f01853b4f941961c728d393d36c42ba60faca89a

SHA256
0399acd759221c80ddc0d6ff0170c58389c361999409da6295e4d6ecffbca63e

SHA512
d0e051b294312d32f613fcd8df581762a4b7b196e23e29035ce7a7f7424209821a6aac7c05a5cfc512a8e5cc2f43b1b43976432cbb9593e4c90c58f1ad66c071

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
85ee57e53333463cdf14cd89336e8a9c

SHA1
dd76ddb1ee0c494424a214a28e899e61acf84872

SHA256
2b00d7afb17ab8d978716ecbac230bb175eebbdfac15b40d0ce3e4b99341c518

SHA512
15fd13417189760a5418bbd3a68e56537cd390c308567399ecf3855bd5a7cf7aa4338358d1ebb2f6c5528b41e8236607bc9ee4f06b959a8fa5c66363c49c61fd

Download Submit
memory/1156-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1156-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3576-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3576-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4896-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4896-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download