182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
Size

1.1MB
MD5

bddedb07f37c6c5c91af3fd90ec033eb
SHA1

0c9da9da680ecc74d0641b1993850d254394b040
SHA256

182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c
SHA512

815a22c97f3d1425207da54ec837fa7b8f61d9aa1e4eae571309bf0d2fa6b8e529f1cb38e4913247a2ed82ec860d65c38658b206bf235e842f701ae04d523eb3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzMr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe

Deletes itself 1 IoCs

pid	Process
4828	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4828	svchcst.exe
4468	svchcst.exe
4112	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe
4828	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
4828	svchcst.exe
4828	svchcst.exe
4468	svchcst.exe
4468	svchcst.exe
4112	svchcst.exe
4112	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3904	4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	93
PID 4948 wrote to memory of 3904	4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	93
PID 4948 wrote to memory of 3904	4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	93
PID 4948 wrote to memory of 660	4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	94
PID 4948 wrote to memory of 660	4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	94
PID 4948 wrote to memory of 660	4948	182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe	94
PID 3904 wrote to memory of 4828	3904	WScript.exe	97
PID 3904 wrote to memory of 4828	3904	WScript.exe	97
PID 3904 wrote to memory of 4828	3904	WScript.exe	97
PID 4828 wrote to memory of 1648	4828	svchcst.exe	98
PID 4828 wrote to memory of 1648	4828	svchcst.exe	98
PID 4828 wrote to memory of 1648	4828	svchcst.exe	98
PID 4828 wrote to memory of 1480	4828	svchcst.exe	99
PID 4828 wrote to memory of 1480	4828	svchcst.exe	99
PID 4828 wrote to memory of 1480	4828	svchcst.exe	99
PID 1480 wrote to memory of 4112	1480	WScript.exe	101
PID 1480 wrote to memory of 4112	1480	WScript.exe	101
PID 1480 wrote to memory of 4112	1480	WScript.exe	101
PID 1648 wrote to memory of 4468	1648	WScript.exe	100
PID 1648 wrote to memory of 4468	1648	WScript.exe	100
PID 1648 wrote to memory of 4468	1648	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
"C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4468
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0704f1e1a9281e2eb1815628da27ba05

SHA1
7e9e9c8390f5a57f8a2745c111d3b1ecaa73cf72

SHA256
2e15a444175881175fc4d5e21fd24eaf2c2c559df9e71afeff5626ee75ed6a7b

SHA512
1d76ed310f66fb457b0e23882b61fee6be55fc381485f2772b6e5d1e08282475545af9d62f53ba41be8016af1fb879116cf49cdc3779fa9abd0929bd7894259b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0949e1db3ac5364609e3c4635430a028

SHA1
33acb003118ee293d1a29f50b4bfc61a670333a4

SHA256
8db2b68c744745c45059f0a409fb5d0373c8f912d8dd33db6178504cb0d27726

SHA512
644f931144526a859a8361991ef05e798e72931b8b2621c640649a7213a8f9e7127202f665a9b6ae7d09e4482e786b83b95224b283c3651db54cd638c2b2489b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cf72bb547d8957d1570264706fed042e

SHA1
f617662c1b423bdbebb564b2366471a03685d198

SHA256
37752b550920c50f4fa27e350f63e2aa2c3209abf880b20cd95c8cd43e4af674

SHA512
ac7364a573dc0257a02a5b51f1574aefbb55520b912bcf9002059a1a293ee39aefd7e178c50c174000bdf6df2e2ebae4eb597bb9317a0dee297ce728991f0cbc

Download Submit
memory/4112-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4468-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4828-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4828-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4948-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4948-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download