Analysis

  • max time kernel
    125s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2024, 22:59

General

  • Target

    182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe

  • Size

    1.1MB

  • MD5

    bddedb07f37c6c5c91af3fd90ec033eb

  • SHA1

    0c9da9da680ecc74d0641b1993850d254394b040

  • SHA256

    182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c

  • SHA512

    815a22c97f3d1425207da54ec837fa7b8f61d9aa1e4eae571309bf0d2fa6b8e529f1cb38e4913247a2ed82ec860d65c38658b206bf235e842f701ae04d523eb3

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzMr

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
    "C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4468
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4112
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:660
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
    1⤵
      PID:2288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

      Filesize

      92B

      MD5

      67b9b3e2ded7086f393ebbc36c5e7bca

      SHA1

      e6299d0450b9a92a18cc23b5704a2b475652c790

      SHA256

      44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

      SHA512

      826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

      Filesize

      753B

      MD5

      0704f1e1a9281e2eb1815628da27ba05

      SHA1

      7e9e9c8390f5a57f8a2745c111d3b1ecaa73cf72

      SHA256

      2e15a444175881175fc4d5e21fd24eaf2c2c559df9e71afeff5626ee75ed6a7b

      SHA512

      1d76ed310f66fb457b0e23882b61fee6be55fc381485f2772b6e5d1e08282475545af9d62f53ba41be8016af1fb879116cf49cdc3779fa9abd0929bd7894259b

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

      Filesize

      696B

      MD5

      5ef4272f4d6f345fc8cc1b2f059c81b4

      SHA1

      78bcb559f775d70e10396e1d6d7b95c28d2645d1

      SHA256

      19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

      SHA512

      002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

      Filesize

      1.1MB

      MD5

      0949e1db3ac5364609e3c4635430a028

      SHA1

      33acb003118ee293d1a29f50b4bfc61a670333a4

      SHA256

      8db2b68c744745c45059f0a409fb5d0373c8f912d8dd33db6178504cb0d27726

      SHA512

      644f931144526a859a8361991ef05e798e72931b8b2621c640649a7213a8f9e7127202f665a9b6ae7d09e4482e786b83b95224b283c3651db54cd638c2b2489b

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

      Filesize

      1.1MB

      MD5

      cf72bb547d8957d1570264706fed042e

      SHA1

      f617662c1b423bdbebb564b2366471a03685d198

      SHA256

      37752b550920c50f4fa27e350f63e2aa2c3209abf880b20cd95c8cd43e4af674

      SHA512

      ac7364a573dc0257a02a5b51f1574aefbb55520b912bcf9002059a1a293ee39aefd7e178c50c174000bdf6df2e2ebae4eb597bb9317a0dee297ce728991f0cbc

    • memory/4112-31-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4468-30-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4828-15-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4828-26-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4948-0-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4948-12-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB