4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
Size

1.1MB
MD5

a14d7ffd5316f97528d43bd556c0debc
SHA1

20a0f2baa2d0a815e21b516dd93e2da276fc9299
SHA256

4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440
SHA512

d19f399fd6633683522e0b0121f9b76f8c66f17cab065b38b357d5c2345277e8ae5412d0053f0588099b6831dcff587803826a7bf83ea957d8232042fc086f3d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qk:acallSllG4ZM7QzMT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1836	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2772	svchcst.exe
1836	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
1836	svchcst.exe
1836	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1352	2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe	87
PID 2508 wrote to memory of 1352	2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe	87
PID 2508 wrote to memory of 1352	2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe	87
PID 2508 wrote to memory of 2328	2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe	88
PID 2508 wrote to memory of 2328	2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe	88
PID 2508 wrote to memory of 2328	2508	4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe	88
PID 2328 wrote to memory of 2772	2328	WScript.exe	96
PID 2328 wrote to memory of 2772	2328	WScript.exe	96
PID 2328 wrote to memory of 2772	2328	WScript.exe	96
PID 1352 wrote to memory of 1836	1352	WScript.exe	97
PID 1352 wrote to memory of 1836	1352	WScript.exe	97
PID 1352 wrote to memory of 1836	1352	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe
"C:\Users\Admin\AppData\Local\Temp\4fdbd8f0db3f4782e4e279d9fd38dda5df097fa1b2ff5b16e757779095e80440.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
53fed8baef614e23f34e24ad837b8f55

SHA1
bb0d52ad50974059251c54347fcfd7f461212fa0

SHA256
b10b740c4bd8561cfa85ab43d3cae5b7427215fbd622bf2328db701b9c893f4f

SHA512
83ddce8fc2823aacb596da938158f93572afa5895cf67833cd3f448569272b4e0ef3cc13b82e53d3ddc966dc89b406b62284b23ca97e97bd81e6e978612077e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
629f396b361a01971c912c0f01b78bca

SHA1
0e2b30f61f859ab696f8034ff9dd14c709d7d98f

SHA256
5255868690a95bc605a37bf106ea4de35aa7851ea9a5eea190ca36237627b862

SHA512
0dfdd49e5c8365f8a4cd5c73a3eed3235a9cc82bc53ff053c55fc2ebc0206c0b9a446ef6a78340b780f51445be5ef9328675503d9abf13e23331ed2f82f821a3

Download Submit
memory/1836-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download