4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
Size

1.1MB
MD5

74048ab45ff5e1526565c0d57ea47f18
SHA1

bea0a9386eae83372293c50244fec9590023decb
SHA256

4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955
SHA512

67add039799e127d6048ee247b3d3813e47024ada1761b729a327d7d9f5aac867c66cf61d0d731bc19a84a1af59e4334186bd2356056dc65a2d3721555013ac9
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4576	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
4576	svchcst.exe
1668	svchcst.exe
316	svchcst.exe
4812	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe
4576	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
4576	svchcst.exe
4576	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
316	svchcst.exe
316	svchcst.exe
4812	svchcst.exe
4812	svchcst.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4408	2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	87
PID 2800 wrote to memory of 4408	2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	87
PID 2800 wrote to memory of 4408	2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	87
PID 2800 wrote to memory of 3460	2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	86
PID 2800 wrote to memory of 3460	2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	86
PID 2800 wrote to memory of 3460	2800	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	86
PID 3460 wrote to memory of 4576	3460	WScript.exe	93
PID 3460 wrote to memory of 4576	3460	WScript.exe	93
PID 3460 wrote to memory of 4576	3460	WScript.exe	93
PID 4576 wrote to memory of 4556	4576	svchcst.exe	94
PID 4576 wrote to memory of 4556	4576	svchcst.exe	94
PID 4576 wrote to memory of 4556	4576	svchcst.exe	94
PID 4576 wrote to memory of 5008	4576	svchcst.exe	95
PID 4576 wrote to memory of 5008	4576	svchcst.exe	95
PID 4576 wrote to memory of 5008	4576	svchcst.exe	95
PID 5008 wrote to memory of 1668	5008	WScript.exe	98
PID 5008 wrote to memory of 1668	5008	WScript.exe	98
PID 5008 wrote to memory of 1668	5008	WScript.exe	98
PID 1668 wrote to memory of 3936	1668	svchcst.exe	99
PID 1668 wrote to memory of 3936	1668	svchcst.exe	99
PID 1668 wrote to memory of 3936	1668	svchcst.exe	99
PID 1668 wrote to memory of 4592	1668	svchcst.exe	100
PID 1668 wrote to memory of 4592	1668	svchcst.exe	100
PID 1668 wrote to memory of 4592	1668	svchcst.exe	100
PID 3936 wrote to memory of 316	3936	WScript.exe	102
PID 3936 wrote to memory of 316	3936	WScript.exe	102
PID 3936 wrote to memory of 316	3936	WScript.exe	102
PID 4592 wrote to memory of 4812	4592	WScript.exe	103
PID 4592 wrote to memory of 4812	4592	WScript.exe	103
PID 4592 wrote to memory of 4812	4592	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
"C:\Users\Admin\AppData\Local\Temp\4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:316
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a01f96f32b17122347d682a943cf8507

SHA1
a0c89ad3e78889324cb549d326da2bbad6acfbda

SHA256
c161ae97ca9b46049523b0939332c361ddcd7109c42ca35d67f576857fe93298

SHA512
393489ae36eb82eedf0b2bbf05f2b19d1b10933f0de025f49e65d9057563906cafdd7b540b8d1dfc707ce77ccc20a19f53df07220f7f55a48b9eb83f8ea294d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ea023a1f7e5d626e12d9e7dc77239b94

SHA1
23672cccba78bd3686d17554d4f62879a79ed907

SHA256
74981898e97bf28e93ba5f665640f529badf57d586463a3a36f1055eef0e6bbc

SHA512
f83825176ae2b93a1470531c636f57cdf5f983e38a1a91858fd7a6e6234af158135e619c9c3544d0e9ab5c8022688a15049f40d89295055dbb740c078bd45ea8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ce0788d763b7781b726e85e03973c2b5

SHA1
c435a92372356b48d677b88f638d63a24f10182a

SHA256
b22fb993f3c044d48f2c7d51cd88e09c79cdf2a79d3c428fa8bd96ca1163e05a

SHA512
eb92956122011e1298893f6ce3104234d4305b27729df86381b3b44d2518579db47c4e0acc771634d430d587ceaa7da606e52dfcf974b3e1ef6a784488953d50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e88d681f364c63be9aa48c73333c4c10

SHA1
fc59d67ab7cc82e5975eaa4edce6b9f6119e530b

SHA256
906dc45d68c608bc8495f7fed97521409eb7dea0f56750492f2212a7091b71f6

SHA512
076fa41d3cce4f59f17f64366ab4a3d70c53b4391d30f400197630bf2106946ad0b1dc8bccc3022191977f6a83edcda98a235314e2f2ee8965e6c9e795c76e65

Download Submit
memory/316-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/316-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4576-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4576-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4812-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download