856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 06:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
Size

1.1MB
MD5

25e9c55b6e9c3121bd4f19790007f49f
SHA1

afad98d748006b6d15c1fe66ed8866442a2c53ab
SHA256

856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16
SHA512

0bf99becadcc44d33a65912ab8554e43620bb50926fa99233d9d5447e78ba14010adffc9841cd944cbf664dbce976d5e4d47d0b48abc64970c6acbee4397679f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QE:acallSllG4ZM7QzMD

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3768	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3560	svchcst.exe
3768	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
3560	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3560	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 2412	4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe	86
PID 4900 wrote to memory of 2412	4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe	86
PID 4900 wrote to memory of 2412	4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe	86
PID 4900 wrote to memory of 1096	4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe	87
PID 4900 wrote to memory of 1096	4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe	87
PID 4900 wrote to memory of 1096	4900	856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe	87
PID 2412 wrote to memory of 3768	2412	WScript.exe	94
PID 2412 wrote to memory of 3768	2412	WScript.exe	94
PID 2412 wrote to memory of 3768	2412	WScript.exe	94
PID 1096 wrote to memory of 3560	1096	WScript.exe	93
PID 1096 wrote to memory of 3560	1096	WScript.exe	93
PID 1096 wrote to memory of 3560	1096	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe
"C:\Users\Admin\AppData\Local\Temp\856701951b31bfc10d37abdc46a2957a305a4dfb4f481b415cf2436187020a16.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bb4f914a38ab1d2777cca592fea77666

SHA1
dee942094a072b8b678303303b2652cf679282e0

SHA256
696be3b75f9548e39ef21d401c617c6705aecfba9d482ff8a1c857338d77c318

SHA512
46824da2dc41b660bda2ed3dc9f3dc7b2a9cf10b7f8c1a0535e211713e7cb916f0db8009cabd307fc553674b2af2c2af1820313b4698f2c18572957c6f1f5dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b9dc157837bcac0bdf190cf03a5d75ee

SHA1
ced7ce4c0f2a93c7f94b0139c591c3fea694a5a1

SHA256
5a41707fc42a09dfb9de81ea7e9591708bec43466da6eba1ca5710b838fd7cbf

SHA512
fdce99e388a3aa81e09922a590bb2b0f90e79036e2ec78717281ae52e037d848289be734c8abe132e8ebd4b74a96cf7061aeef7d73b937f3c183fa8bdde09312

Download Submit
memory/3560-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3560-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3768-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3768-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4900-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4900-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download