Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2024, 19:40

General

  • Target

    4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe

  • Size

    1.1MB

  • MD5

    74048ab45ff5e1526565c0d57ea47f18

  • SHA1

    bea0a9386eae83372293c50244fec9590023decb

  • SHA256

    4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955

  • SHA512

    67add039799e127d6048ee247b3d3813e47024ada1761b729a327d7d9f5aac867c66cf61d0d731bc19a84a1af59e4334186bd2356056dc65a2d3721555013ac9

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMA

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4556
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:5008
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1668
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3936
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:316
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4592
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4812
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    a01f96f32b17122347d682a943cf8507

    SHA1

    a0c89ad3e78889324cb549d326da2bbad6acfbda

    SHA256

    c161ae97ca9b46049523b0939332c361ddcd7109c42ca35d67f576857fe93298

    SHA512

    393489ae36eb82eedf0b2bbf05f2b19d1b10933f0de025f49e65d9057563906cafdd7b540b8d1dfc707ce77ccc20a19f53df07220f7f55a48b9eb83f8ea294d7

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    44c38fa25d3a9963483b583388b6f47b

    SHA1

    e9b37eb8bcbe2ddda96178ee7502616660cfce57

    SHA256

    004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

    SHA512

    c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    c4e7c6e63669b7ac19a2abc4d482e577

    SHA1

    0b715c1b8c52526a168c5972ce10621deb7454cb

    SHA256

    44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

    SHA512

    f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    ea023a1f7e5d626e12d9e7dc77239b94

    SHA1

    23672cccba78bd3686d17554d4f62879a79ed907

    SHA256

    74981898e97bf28e93ba5f665640f529badf57d586463a3a36f1055eef0e6bbc

    SHA512

    f83825176ae2b93a1470531c636f57cdf5f983e38a1a91858fd7a6e6234af158135e619c9c3544d0e9ab5c8022688a15049f40d89295055dbb740c078bd45ea8

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    ce0788d763b7781b726e85e03973c2b5

    SHA1

    c435a92372356b48d677b88f638d63a24f10182a

    SHA256

    b22fb993f3c044d48f2c7d51cd88e09c79cdf2a79d3c428fa8bd96ca1163e05a

    SHA512

    eb92956122011e1298893f6ce3104234d4305b27729df86381b3b44d2518579db47c4e0acc771634d430d587ceaa7da606e52dfcf974b3e1ef6a784488953d50

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    e88d681f364c63be9aa48c73333c4c10

    SHA1

    fc59d67ab7cc82e5975eaa4edce6b9f6119e530b

    SHA256

    906dc45d68c608bc8495f7fed97521409eb7dea0f56750492f2212a7091b71f6

    SHA512

    076fa41d3cce4f59f17f64366ab4a3d70c53b4391d30f400197630bf2106946ad0b1dc8bccc3022191977f6a83edcda98a235314e2f2ee8965e6c9e795c76e65

  • memory/316-44-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/316-42-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/1668-38-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/2800-0-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/2800-11-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4576-25-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4576-14-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4812-43-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB