182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c

Analysis

max time kernel
41s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
Size

1.1MB
MD5

bddedb07f37c6c5c91af3fd90ec033eb
SHA1

0c9da9da680ecc74d0641b1993850d254394b040
SHA256

182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c
SHA512

815a22c97f3d1425207da54ec837fa7b8f61d9aa1e4eae571309bf0d2fa6b8e529f1cb38e4913247a2ed82ec860d65c38658b206bf235e842f701ae04d523eb3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzMr

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	svchcst.exe

Executes dropped EXE 6 IoCs

pid	Process
2664	svchcst.exe
2684	svchcst.exe
2688	svchcst.exe
2820	svchcst.exe
1216	svchcst.exe
1688	svchcst.exe

Loads dropped DLL 9 IoCs

pid	Process
2868	WScript.exe
2868	WScript.exe
2772	WScript.exe
2772	WScript.exe
2868	WScript.exe
2868	WScript.exe
1900	WScript.exe
1900	WScript.exe
2984	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
2664	svchcst.exe
2664	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2868	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	30
PID 2224 wrote to memory of 2868	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	30
PID 2224 wrote to memory of 2868	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	30
PID 2224 wrote to memory of 2868	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	30
PID 2224 wrote to memory of 2772	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	29
PID 2224 wrote to memory of 2772	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	29
PID 2224 wrote to memory of 2772	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	29
PID 2224 wrote to memory of 2772	2224	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	29
PID 2868 wrote to memory of 2664	2868	WScript.exe	32
PID 2868 wrote to memory of 2664	2868	WScript.exe	32
PID 2868 wrote to memory of 2664	2868	WScript.exe	32
PID 2868 wrote to memory of 2664	2868	WScript.exe	32
PID 2772 wrote to memory of 2684	2772	WScript.exe	33
PID 2772 wrote to memory of 2684	2772	WScript.exe	33
PID 2772 wrote to memory of 2684	2772	WScript.exe	33
PID 2772 wrote to memory of 2684	2772	WScript.exe	33
PID 2684 wrote to memory of 1900	2684	svchcst.exe	34
PID 2684 wrote to memory of 1900	2684	svchcst.exe	34
PID 2684 wrote to memory of 1900	2684	svchcst.exe	34
PID 2684 wrote to memory of 1900	2684	svchcst.exe	34
PID 2868 wrote to memory of 2688	2868	WScript.exe	35
PID 2868 wrote to memory of 2688	2868	WScript.exe	35
PID 2868 wrote to memory of 2688	2868	WScript.exe	35
PID 2868 wrote to memory of 2688	2868	WScript.exe	35
PID 1900 wrote to memory of 2820	1900	WScript.exe	36
PID 1900 wrote to memory of 2820	1900	WScript.exe	36
PID 1900 wrote to memory of 2820	1900	WScript.exe	36
PID 1900 wrote to memory of 2820	1900	WScript.exe	36
PID 2688 wrote to memory of 2984	2688	svchcst.exe	37
PID 2688 wrote to memory of 2984	2688	svchcst.exe	37
PID 2688 wrote to memory of 2984	2688	svchcst.exe	37
PID 2688 wrote to memory of 2984	2688	svchcst.exe	37
PID 1900 wrote to memory of 1216	1900	WScript.exe	38
PID 1900 wrote to memory of 1216	1900	WScript.exe	38
PID 1900 wrote to memory of 1216	1900	WScript.exe	38
PID 1900 wrote to memory of 1216	1900	WScript.exe	38
PID 2984 wrote to memory of 1688	2984	WScript.exe	39
PID 2984 wrote to memory of 1688	2984	WScript.exe	39
PID 2984 wrote to memory of 1688	2984	WScript.exe	39
PID 2984 wrote to memory of 1688	2984	WScript.exe	39

C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
"C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5fd099d52994a7423dce6d651f122920

SHA1
56b7a302256175a8514cc9c2dd86ae8d8b32c310

SHA256
3d72a63fb5b538bbe789621153800245b66f3980d79cb8ac4d08b61c7cc64e8c

SHA512
dd221654eaa9433c00fe993a47b80d0dbc40fb15ddc62f08cabcb5b73f5842f3228b382a4bd9f6277f8423d5989f1129799c61ef0dff8d871132c57dc2997eef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cb5d7dbe25c05d0106eb00d36929659c

SHA1
e176c947decb2f0698b3120532df342c79eb51d5

SHA256
e35872471651f4e286a2120a82155a31a4622318d39c5843a6db24469cccd164

SHA512
599d8a592a1e0924d372b9277c363e5dc46eb053421c6f3a19c7582c88f26c78f3939351e0d2cd5ddaae0931cd2a9a10649b17885cb56c339c57c6436687239a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
09556fac6e37dc277354251f5c9ddd6f

SHA1
7b7f382e1617f5f41cfc7cc97eab8ee31f8b858a

SHA256
df13c3dc108ef19c9899be9c5cc2cc8ddebe34f4fb2b71572c7fbc5ff224f806

SHA512
7f292c9431e2ce3f8a25e52f658a2e90050c0602059aff0ade7c699201184512d6c55a0532e90454606877a1dbd8718912179c5c080b24350782e474f024d8b5

Download Submit
memory/1216-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-58-0x0000000005270000-0x00000000053CF000-memory.dmp

Filesize
1.4MB

Download
memory/1900-62-0x0000000005270000-0x00000000053CF000-memory.dmp

Filesize
1.4MB

Download
memory/1900-46-0x0000000005270000-0x00000000053CF000-memory.dmp

Filesize
1.4MB

Download
memory/2224-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-19-0x00000000051D0000-0x000000000532F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-37-0x00000000053D0000-0x000000000552F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-17-0x0000000003C90000-0x0000000003DEF000-memory.dmp

Filesize
1.4MB

Download
memory/2868-20-0x0000000003C90000-0x0000000003DEF000-memory.dmp

Filesize
1.4MB

Download