62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
Size

1.1MB
MD5

1c93ca84724f0aacbd2c2e28c8cf14c9
SHA1

39826a51c349a4e38a9c6393acc3db9d6ce36df1
SHA256

62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08
SHA512

257a2b5747425b91c195b704e7278e410876e42e56fb13f9cdaa18c7c21c40efb062cfa2f2ddf3559190f49c1a1c8b5dc2a5865b7710cd82d416fc9ed9cf0eab
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1884	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3688	svchcst.exe
1884	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
3688	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
3688	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1076	3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe	87
PID 3140 wrote to memory of 1076	3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe	87
PID 3140 wrote to memory of 1076	3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe	87
PID 3140 wrote to memory of 740	3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe	88
PID 3140 wrote to memory of 740	3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe	88
PID 3140 wrote to memory of 740	3140	62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe	88
PID 740 wrote to memory of 3688	740	WScript.exe	94
PID 740 wrote to memory of 3688	740	WScript.exe	94
PID 740 wrote to memory of 3688	740	WScript.exe	94
PID 1076 wrote to memory of 1884	1076	WScript.exe	95
PID 1076 wrote to memory of 1884	1076	WScript.exe	95
PID 1076 wrote to memory of 1884	1076	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe
"C:\Users\Admin\AppData\Local\Temp\62e345a7b43d619a4b75b4418755ac8363dc569a8c38754cd5b2384dd178fa08.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4a6dad24fb6c2533fafc87e6879e9149

SHA1
250ad0adc9a5bfbdf3cd1ed3bc6668077dc0af4a

SHA256
45470699b19f972e87fc98c790b67662a78cdac50c26b1824c2eb112bda8a5ea

SHA512
3b3afc98921046a52aaea15db7909591f249c73bfd4b605bc7cd93936c2514bdc0d9489be37b722b1628ce4101bd465c3a6fc87ae763feea4b8afc4a22fba1bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
966258734fcbb69b6fca3a55c2e957d4

SHA1
e80bd1569c0b21d9acb5efa23fa9b6f3a12b6408

SHA256
3b63c561eb965db974b1cc6b95ecf6d07c536b5104a92aec25b831469b49cffd

SHA512
50583fade918e2aec48ed6c4e9b0bb5b1309adde56cd796ca43938aa590fc981372b66324f6bd5e7d82c726054af838d3daedb5688734ff946a849575cf36679

Download Submit
memory/1884-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3140-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3140-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3688-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download