1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
Size

1.1MB
MD5

a0355b8e3ef2cad724fc6ced7e45ab2a
SHA1

abdf578bfde36f4efe62c4b79bc415701de18483
SHA256

1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8
SHA512

c78dde76cc660b5ed4c05a0a53cfe08676438aa7d051322e4c14c45a05d69c0fdad93c703dea664b95815e6953fdd283e0e870d417f436dc1539304d27ca44e3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QH:acallSllG4ZM7QzMg

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4084	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
4084	svchcst.exe
3532	svchcst.exe
3576	svchcst.exe
4916	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe
4084	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
4084	svchcst.exe
4084	svchcst.exe
3532	svchcst.exe
3532	svchcst.exe
4916	svchcst.exe
3576	svchcst.exe
4916	svchcst.exe
3576	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2588	5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe	88
PID 5068 wrote to memory of 2588	5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe	88
PID 5068 wrote to memory of 2588	5068	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe	88
PID 2588 wrote to memory of 4084	2588	WScript.exe	90
PID 2588 wrote to memory of 4084	2588	WScript.exe	90
PID 2588 wrote to memory of 4084	2588	WScript.exe	90
PID 4084 wrote to memory of 4544	4084	svchcst.exe	91
PID 4084 wrote to memory of 4544	4084	svchcst.exe	91
PID 4084 wrote to memory of 4544	4084	svchcst.exe	91
PID 4084 wrote to memory of 3120	4084	svchcst.exe	92
PID 4084 wrote to memory of 3120	4084	svchcst.exe	92
PID 4084 wrote to memory of 3120	4084	svchcst.exe	92
PID 4544 wrote to memory of 3532	4544	WScript.exe	93
PID 4544 wrote to memory of 3532	4544	WScript.exe	93
PID 4544 wrote to memory of 3532	4544	WScript.exe	93
PID 3532 wrote to memory of 4548	3532	svchcst.exe	94
PID 3532 wrote to memory of 4548	3532	svchcst.exe	94
PID 3532 wrote to memory of 4548	3532	svchcst.exe	94
PID 3532 wrote to memory of 736	3532	svchcst.exe	95
PID 3532 wrote to memory of 736	3532	svchcst.exe	95
PID 3532 wrote to memory of 736	3532	svchcst.exe	95
PID 4548 wrote to memory of 3576	4548	WScript.exe	96
PID 4548 wrote to memory of 3576	4548	WScript.exe	96
PID 4548 wrote to memory of 3576	4548	WScript.exe	96
PID 736 wrote to memory of 4916	736	WScript.exe	97
PID 736 wrote to memory of 4916	736	WScript.exe	97
PID 736 wrote to memory of 4916	736	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
"C:\Users\Admin\AppData\Local\Temp\1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3576
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4916
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a2062675385b4e657fcd794947c827f6

SHA1
f411b0140c62d3ae2104dee6c6f1def153ab7028

SHA256
b2e6ceb42761f1419a6b3345b7edd7f35cc80c5d02186c894fb37b7d1f8376ff

SHA512
9a19aed10ffea749d0f96c4e4a285260893bbb88c50da79d5f157d39de770618f56dadb0d8d71ca3c6d5aa71d1ddc5fb9f40460c6f4d0b375fa11596e76608a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3cfd020cfc5f37a3ecdb8839d7badad8

SHA1
2465c818e799788f7d0f59373b8ec33399edcb33

SHA256
2b5ff6e0b6706fdc79abd25b46eb1e05a31ff5cce2f644a0eac0d52543d780fb

SHA512
c8dd565ea9717c8a512bdb5f657274859c4738f7b3be84f60439251b3a0ef9ec5317ef85b5178d33f0ffbc0008ee30b13c622e70c673a8a8942a6aa2b9da168d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c195dd2134ced54d04f96d70695bc5ce

SHA1
7409ad246bae8c4345ef9cd8303372fb49ab5355

SHA256
cc08d8ec418f4ed5648f0c739746d0dfccb9c8ae94281f5e6f20e318a85cfe7f

SHA512
01363920eaed44c2dbc870b09b136282c5f8d57e4132b29e9e07d81c0cdcdff83071ae44880fda523f51920c08629e2a0eb4bcc0c743912f61fd94011e358443

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9f0997a2fc22ad267bef67c26d3ecd07

SHA1
0c940c1652facc572353b6f73755dea28781db6e

SHA256
6b36ebfec1f60cd2cccf3c5b510f08a8638faf906ef04678ba9d1df8b75e319a

SHA512
361a7ef0b622ecaec2834f7c437b93af2877237aa3393b0f7ea9f1316ae5b09b5d6188b697c0dc85ffdf25c20f804780a147c086e5c188853830844f4701a881

Download Submit
memory/3532-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3532-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3576-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3576-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4084-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4916-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4916-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5068-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5068-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download