9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
Size

1.1MB
MD5

d56f072d5a4276c300cefcd41af074ca
SHA1

1db46ff58058bcde4f92a023aaba9b6dcd96bf21
SHA256

9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173
SHA512

cc673ecd9d8f4668d81acfab2ed5616d9725c1a98ae5765f51da3b33e87cc4418ffe2746904ddd500a9029d2f825d74a914a68fa968f53e67c70d2366d31014e
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q8:CcaClSFlG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4744	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4744	svchcst.exe
1236	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe
4744	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
4744	svchcst.exe
4744	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4396	2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	85
PID 2020 wrote to memory of 4396	2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	85
PID 2020 wrote to memory of 4396	2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	85
PID 2020 wrote to memory of 4468	2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	86
PID 2020 wrote to memory of 4468	2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	86
PID 2020 wrote to memory of 4468	2020	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	86
PID 4468 wrote to memory of 4744	4468	WScript.exe	93
PID 4468 wrote to memory of 4744	4468	WScript.exe	93
PID 4468 wrote to memory of 4744	4468	WScript.exe	93
PID 4396 wrote to memory of 1236	4396	WScript.exe	94
PID 4396 wrote to memory of 1236	4396	WScript.exe	94
PID 4396 wrote to memory of 1236	4396	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
"C:\Users\Admin\AppData\Local\Temp\9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
dcb8016d8dfb8dac6ca986b43e7fffd7

SHA1
ffe7e576f1918bc7b19e548f0e3e2169dd252d1f

SHA256
cb9d5b071169a9d7fa29c687ee3a8d7dbbc66ec97ad8cafd6c0a89a663a75b48

SHA512
b6ab99be58c924f79524d14d97ad9d3aadeaec6fa2a493a5756251834b64d441ba2169c76bb86d6db3988ac0372efe4519db2a00e4a3b8d07c65fbc42312190e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
deacffb0af08fa7cd74b759aebc8c722

SHA1
58157d7524fe348e966eeb683f042d7d9b9d2403

SHA256
bc97eb225f23a16f476050bd02d0455537eaf0b58190b78d960189a647103692

SHA512
44c1a99d564e5483ecd35344e70abdfb9bc07d6af3221f627ae24b8d2f0b6700c19b70c1f564aef42d69462c356fe61f3cc94f811a2defb76174aed5fe4178e1

Download Submit
memory/2020-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download