8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
Size

1.1MB
MD5

29f0e9e74f43e87260872ebb2ec4bb3d
SHA1

2702f1af53e31e08ea24f0a7329b135aef809922
SHA256

8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85
SHA512

b453e8bcf31131d6345e18c361e928cc0d067124f52d1d101a3e84f43e41599afa009cf93866747bc7c1a8721805c85f7875964156316293e434c91d3ea44204
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q0:CcaClSFlG4ZM7QzMT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3420	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3420	svchcst.exe
1592	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe
3420	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
3420	svchcst.exe
3420	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4196	2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	86
PID 2228 wrote to memory of 4196	2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	86
PID 2228 wrote to memory of 4196	2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	86
PID 2228 wrote to memory of 2608	2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	87
PID 2228 wrote to memory of 2608	2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	87
PID 2228 wrote to memory of 2608	2228	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	87
PID 4196 wrote to memory of 3420	4196	WScript.exe	90
PID 4196 wrote to memory of 3420	4196	WScript.exe	90
PID 4196 wrote to memory of 3420	4196	WScript.exe	90
PID 2608 wrote to memory of 1592	2608	WScript.exe	89
PID 2608 wrote to memory of 1592	2608	WScript.exe	89
PID 2608 wrote to memory of 1592	2608	WScript.exe	89

C:\Users\Admin\AppData\Local\Temp\8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
"C:\Users\Admin\AppData\Local\Temp\8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2f3e08b3658e55708b46861ba6d5c488

SHA1
2273bf8d77e8959179e1336a6a3041ae01d3bbf9

SHA256
1f17fa37f1c629897fb4b6a3159f600e8946b5727c8e88ea611acdb7db69135b

SHA512
cec87c0a5d1ffc7e5d055e64302d3494f1cf151896924cd28d2f2b03084744b0c81a3e37199ea28d66ad7e4107f5475ff879156b1d07eb7fe92359e9d92e3dec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3ad2e6b6c3318ba22bdbf950d56952a4

SHA1
5be392e0b3be985dd744a3d26ebe6b0bd55af77c

SHA256
2c309401777392f0a2ff403bf309ea7cf641b53470e59ebb88fb9eee5ab3fba0

SHA512
a1af53d19b3ec8e03903755437a9c042bd82d31719917abc10ae22db96a571b07ad63f2bd6dcb6ce3a2a20e0430e8a1a79512e9820073b30bb16d0f32316c354

Download Submit
memory/2228-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download