fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d

Analysis

max time kernel
94s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
Size

1.1MB
MD5

cab674004c6f76c5d994724abf83e4fa
SHA1

ad1df8b1bbc7ea4fd06ac7544cd366f8c3ff70b0
SHA256

fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d
SHA512

90b7672b9f84efaeda3a0906da69fd17cf6f6b10557c2eabee3800d3c632e7fd884ef8cb43dc39e57f1444dd5289ada7915c7bb47bf1242bf68897c71019866c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qy:CcaClSFlG4ZM7QzMx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe

Deletes itself 1 IoCs

pid	Process
5024	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3784	svchcst.exe
5024	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe
5024	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
5024	svchcst.exe
5024	svchcst.exe
3784	svchcst.exe
3784	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 732	1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	87
PID 1216 wrote to memory of 732	1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	87
PID 1216 wrote to memory of 732	1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	87
PID 1216 wrote to memory of 3880	1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	86
PID 1216 wrote to memory of 3880	1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	86
PID 1216 wrote to memory of 3880	1216	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	86
PID 732 wrote to memory of 3784	732	WScript.exe	89
PID 732 wrote to memory of 3784	732	WScript.exe	89
PID 732 wrote to memory of 3784	732	WScript.exe	89
PID 3880 wrote to memory of 5024	3880	WScript.exe	90
PID 3880 wrote to memory of 5024	3880	WScript.exe	90
PID 3880 wrote to memory of 5024	3880	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
"C:\Users\Admin\AppData\Local\Temp\fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
909b5c0d18b412aad9932fabdca74907

SHA1
74a94376ef15ebc0abe16a97f3890cfeabe0ac7d

SHA256
0fcef94db979c20a1d1506000c35831eb399bea00ddad5b72218d4280a0913de

SHA512
b6179232472316d33ec67322181f9984de645a6e248545f72b565cd82c5beae31b8e0154d1c0a9834a896f8acb6d9077da050fd0cacd48470faafc18717a7b8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eabfd2f0a33be12da4fe4776098cbdc9

SHA1
3e4cd60ff63c21e1174c70d3de28bd430c9c46bb

SHA256
ab5671dcd83594cfd1a5e82930c207f1958bae13dce6770c1361044f91f030f4

SHA512
9aaabf72b7d4a3a86a654349e2362a427a6532977b596894dc4172f8802b51baecf3bcc8ba853002065c08126d6f0ea47c5d21289195f0c69a888f3974ff57b8

Download Submit
memory/1216-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download