5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec

Analysis

max time kernel
125s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
Size

1.1MB
MD5

a7a0c73e4886a7c8b2d521c48096ccc7
SHA1

1a0cd7a35b31daac36a658dcbea3a9dbc22f86d2
SHA256

5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec
SHA512

d8feb6977c92ef075bffe1db4ee18b7bb109b8c04b3c4eff2dccc07492969e5a75febe876b3dd93c5edc1930948a545275be7aa2b3e3d93e945ab5124d3a0019
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QB:acallSllG4ZM7QzMi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
780	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
900	svchcst.exe
780	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe
780	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
780	svchcst.exe
780	svchcst.exe
900	svchcst.exe
900	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 2396	4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe	94
PID 4960 wrote to memory of 2396	4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe	94
PID 4960 wrote to memory of 2396	4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe	94
PID 4960 wrote to memory of 996	4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe	93
PID 4960 wrote to memory of 996	4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe	93
PID 4960 wrote to memory of 996	4960	5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe	93
PID 996 wrote to memory of 900	996	WScript.exe	97
PID 996 wrote to memory of 900	996	WScript.exe	97
PID 996 wrote to memory of 900	996	WScript.exe	97
PID 2396 wrote to memory of 780	2396	WScript.exe	98
PID 2396 wrote to memory of 780	2396	WScript.exe	98
PID 2396 wrote to memory of 780	2396	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe
"C:\Users\Admin\AppData\Local\Temp\5fd620b103ab2d076772f49506bdeafa32ddc70cfa7cea1bc50a2ac11d8521ec.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=1412 /prefetch:8
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
aeba260e52bcc0b76fb28cb5a1f72619

SHA1
9d6df7acf1bbb89dfddbd8bf9684aeeb206ce6b8

SHA256
f26cc347e01443585557baa498f96997350a1df67b2f64c4175d354b7d38c842

SHA512
4d3f47af4241689917794dc8b916fe362530560007b56b6c30545996b30ae06156805d11b1a520a2150a1877e4a4037577426ecff6c9143930e3f007acfb4754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c0556dcc4299597f4615d7c709399402

SHA1
bb10b2e299b769cf5890ea34abdb479146ffe511

SHA256
9b34ea76dd79662e5caca6eef4aa0b768e265e34bf80137925ba4cff4572aaaf

SHA512
925b03d9db12279b66c80392bcbfcf64b41ef380488367911e43365923c81c9efd513e789017bc51b5389ab2276a2e5d03c2761c42163d661cf6e8a733ec200b

Download Submit
memory/780-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/780-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/900-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4960-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4960-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download