Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2024, 20:39

General

  • Target

    37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe

  • Size

    1.1MB

  • MD5

    0723cda2c50ce68b7fe8fe3f01b700fb

  • SHA1

    a81e6f555db99c753ea577c8afb2a344a6625b65

  • SHA256

    37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30

  • SHA512

    8452815075448da072b5fc118b8fbf10d372772fe6df945b0ae4d0a7ecead61babfaf61b2a2f69d8f30f0c4749492dda2ab206eceabcfb8e3f5f2f3a29b9257d

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QT:acallSllG4ZM7QzM0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe
    "C:\Users\Admin\AppData\Local\Temp\37bcffc1416eea8ddbbffcaaaca849b8cc14e578ff1a993109006e0a41230c30.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3344
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3100
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2548

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

          Filesize

          92B

          MD5

          67b9b3e2ded7086f393ebbc36c5e7bca

          SHA1

          e6299d0450b9a92a18cc23b5704a2b475652c790

          SHA256

          44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

          SHA512

          826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          753B

          MD5

          327b1a01f22d53b58ed0416f3438802f

          SHA1

          4f8ca375dd1aff16f26a8f8c4b278bd85054b349

          SHA256

          a11660caee783fdb14d51e600a097dc88b30e02837e02c5ee65370c17bacacaf

          SHA512

          694a02621f763c305dca50da32b6b3b27d5cbf62e8716ba1e945fc990eb2cb6a06bb65885ba5e8f750a2d146248e128f610fd53491d2cfb6d19a721de4927454

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          51b2348c37bbedcb127fa176820f5ea2

          SHA1

          6e70ca09179127890e64c4ffa345b2af573c39fa

          SHA256

          7b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02

          SHA512

          0f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          4f1a972c7bc4fbb3e7e21db6c6f70565

          SHA1

          4f95b6064a3e2fb09d3f1e2ffc485f9b1fb7923c

          SHA256

          40bb2c6aa470354d4dc319459f7d4f3045059950a98619fadd0a06e4ead4217f

          SHA512

          04545e803ebae52ce03540484686b12576309610a4fec2a92c2f5b01a2bbbecfb5a315a798a1498d7e53b1fef36112a03e8d7ee8990d0f035e420ec15b2d7aa7

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          724fc9354ab7214b465ab4ff31312501

          SHA1

          966d2c9e5ec0ed26d57d68c4e4d4a1fe66c9a531

          SHA256

          1fe59b60ca13e2297dd3469ed36f44c575fc88896ddf7b0453debce96ba90681

          SHA512

          7b388066e8bbe20e6f3e571a9c9b791f59ef3285b4ed2c71d6fb675531302d3cf4a2aecf3d51cd4b7744548d489cc7c82030ef52dd9bd5360eff3d3296e578b0

        • memory/380-0-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/380-9-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1524-12-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1524-24-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2548-29-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2548-30-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3100-28-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3100-31-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB