Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 20:39
Static task
static1
Behavioral task
behavioral1
Sample
37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe
Resource
win10v2004-20240802-en
General
-
Target
37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe
-
Size
1.1MB
-
MD5
0723cda2c50ce68b7fe8fe3f01b700fb
-
SHA1
a81e6f555db99c753ea577c8afb2a344a6625b65
-
SHA256
37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30
-
SHA512
8452815075448da072b5fc118b8fbf10d372772fe6df945b0ae4d0a7ecead61babfaf61b2a2f69d8f30f0c4749492dda2ab206eceabcfb8e3f5f2f3a29b9257d
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QT:acallSllG4ZM7QzM0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 1524 svchcst.exe -
Executes dropped EXE 3 IoCs
pid Process 1524 svchcst.exe 3100 svchcst.exe 2548 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings svchcst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe 1524 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 1524 svchcst.exe 1524 svchcst.exe 2548 svchcst.exe 3100 svchcst.exe 3100 svchcst.exe 2548 svchcst.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 380 wrote to memory of 3636 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 86 PID 380 wrote to memory of 3636 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 86 PID 380 wrote to memory of 3636 380 37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe 86 PID 3636 wrote to memory of 1524 3636 WScript.exe 88 PID 3636 wrote to memory of 1524 3636 WScript.exe 88 PID 3636 wrote to memory of 1524 3636 WScript.exe 88 PID 1524 wrote to memory of 3344 1524 svchcst.exe 89 PID 1524 wrote to memory of 3344 1524 svchcst.exe 89 PID 1524 wrote to memory of 3344 1524 svchcst.exe 89 PID 1524 wrote to memory of 2788 1524 svchcst.exe 90 PID 1524 wrote to memory of 2788 1524 svchcst.exe 90 PID 1524 wrote to memory of 2788 1524 svchcst.exe 90 PID 3344 wrote to memory of 3100 3344 WScript.exe 91 PID 3344 wrote to memory of 3100 3344 WScript.exe 91 PID 3344 wrote to memory of 3100 3344 WScript.exe 91 PID 2788 wrote to memory of 2548 2788 WScript.exe 92 PID 2788 wrote to memory of 2548 2788 WScript.exe 92 PID 2788 wrote to memory of 2548 2788 WScript.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe"C:\Users\Admin\AppData\Local\Temp\37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3100
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD5327b1a01f22d53b58ed0416f3438802f
SHA14f8ca375dd1aff16f26a8f8c4b278bd85054b349
SHA256a11660caee783fdb14d51e600a097dc88b30e02837e02c5ee65370c17bacacaf
SHA512694a02621f763c305dca50da32b6b3b27d5cbf62e8716ba1e945fc990eb2cb6a06bb65885ba5e8f750a2d146248e128f610fd53491d2cfb6d19a721de4927454
-
Filesize
696B
MD551b2348c37bbedcb127fa176820f5ea2
SHA16e70ca09179127890e64c4ffa345b2af573c39fa
SHA2567b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02
SHA5120f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e
-
Filesize
1.1MB
MD54f1a972c7bc4fbb3e7e21db6c6f70565
SHA14f95b6064a3e2fb09d3f1e2ffc485f9b1fb7923c
SHA25640bb2c6aa470354d4dc319459f7d4f3045059950a98619fadd0a06e4ead4217f
SHA51204545e803ebae52ce03540484686b12576309610a4fec2a92c2f5b01a2bbbecfb5a315a798a1498d7e53b1fef36112a03e8d7ee8990d0f035e420ec15b2d7aa7
-
Filesize
1.1MB
MD5724fc9354ab7214b465ab4ff31312501
SHA1966d2c9e5ec0ed26d57d68c4e4d4a1fe66c9a531
SHA2561fe59b60ca13e2297dd3469ed36f44c575fc88896ddf7b0453debce96ba90681
SHA5127b388066e8bbe20e6f3e571a9c9b791f59ef3285b4ed2c71d6fb675531302d3cf4a2aecf3d51cd4b7744548d489cc7c82030ef52dd9bd5360eff3d3296e578b0