51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
Size

1.1MB
MD5

e290bd8806761a77b1d6463c37e5eb34
SHA1

673bfa67e8a97c03b7a20c0f42123e65068ed0f5
SHA256

51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa
SHA512

43caaf15108c38e745e06ae351685e2b036b4da3f36d98581625ed288f40a59cb2237ea804362b0c842ff7ea4009a3650578ab96f3d3c864457a9fa4ddc4fc8f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QZ:acallSllG4ZM7QzM6

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
1624	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1624	svchcst.exe
3936	svchcst.exe
4620	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
1624	svchcst.exe
1624	svchcst.exe
3936	svchcst.exe
3936	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1928	1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe	88
PID 1268 wrote to memory of 1928	1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe	88
PID 1268 wrote to memory of 1928	1268	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe	88
PID 1928 wrote to memory of 1624	1928	WScript.exe	90
PID 1928 wrote to memory of 1624	1928	WScript.exe	90
PID 1928 wrote to memory of 1624	1928	WScript.exe	90
PID 1624 wrote to memory of 4476	1624	svchcst.exe	91
PID 1624 wrote to memory of 4476	1624	svchcst.exe	91
PID 1624 wrote to memory of 4476	1624	svchcst.exe	91
PID 1624 wrote to memory of 2632	1624	svchcst.exe	92
PID 1624 wrote to memory of 2632	1624	svchcst.exe	92
PID 1624 wrote to memory of 2632	1624	svchcst.exe	92
PID 2632 wrote to memory of 3936	2632	WScript.exe	93
PID 2632 wrote to memory of 3936	2632	WScript.exe	93
PID 2632 wrote to memory of 3936	2632	WScript.exe	93
PID 4476 wrote to memory of 4620	4476	WScript.exe	94
PID 4476 wrote to memory of 4620	4476	WScript.exe	94
PID 4476 wrote to memory of 4620	4476	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
"C:\Users\Admin\AppData\Local\Temp\51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4620
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5b56cf869e71a01717fe622d0e278209

SHA1
938abac36fdbe36e2d05647f2e625d811f0887c5

SHA256
9ec943bccdf2f553ec830ce02881d6440794e50ed886dd07d9c4a3b4807038b2

SHA512
8ce0f9963a97b9059d07532e1814b78d1bc527a4a5c5fef046a0f2ed0b4d2065fb15ded5cd4fa71416d3990014f8b59c3521cd93184377464d0239f86c5bd358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
23f82a2bc64fc371d09f7dfa178d5ccf

SHA1
a798c0d7f06fd1998f0e3d78d3e99da64ed008df

SHA256
c14c2ff243f96f6678b471b98e920036a8c8188bce7d65c509c893c67414e4a3

SHA512
a31ea6fd097ca4c5cc6a234f08fbbdf2321d6c71eef3b181ff12cbfb63cc4e8ed0f56167d5e92da52dc9252674324c7bde8338fddb8fa19f33b49ede639caa2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
54a797e5ed9216857efca955cb4e7751

SHA1
28ebc5aa17ef9502b5ce552ac2fe8a1a4c7a9c8f

SHA256
905a10a821f748d4f5c8711a15182fe9b665e98aa4a6474234f5fc6813849452

SHA512
558fe2acc122a4632e41c2f83d464e1a72aa7efdd321ff68866aa082fd35b85ebcb9ac8fb151d9362d2c37b7086c17f3aca2c0551ca66978a151b654e1211b01

Download Submit
memory/1268-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1268-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3936-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4620-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download