dce146fd6044e0300e9195793ef6faefa79d08cc8ad5c21f2c2e903de14d5d1a

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5bbda624d1b8aba4f4f49ac996a27a0N.exe
Size

1.1MB
MD5

b5bbda624d1b8aba4f4f49ac996a27a0
SHA1

1f2688e09a4b2320e3a98acf6fbd520e436de7e9
SHA256

dce146fd6044e0300e9195793ef6faefa79d08cc8ad5c21f2c2e903de14d5d1a
SHA512

608795549b18d09c2d1c653fa86e7d2d17ad79c97d3d01781fdac9a36be355492fdaeecd9acb829a4de9b1c3ee6267d798c83d8f0173e7dcc2c664add55f089a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qg:CcaClSFlG4ZM7QzMH

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4708	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	svchcst.exe
4708	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe
4708	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
4708	svchcst.exe
4708	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1004	368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	86
PID 368 wrote to memory of 1004	368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	86
PID 368 wrote to memory of 1004	368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	86
PID 368 wrote to memory of 1540	368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	87
PID 368 wrote to memory of 1540	368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	87
PID 368 wrote to memory of 1540	368	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	87
PID 1540 wrote to memory of 4708	1540	WScript.exe	94
PID 1540 wrote to memory of 4708	1540	WScript.exe	94
PID 1540 wrote to memory of 4708	1540	WScript.exe	94
PID 1004 wrote to memory of 2892	1004	WScript.exe	95
PID 1004 wrote to memory of 2892	1004	WScript.exe	95
PID 1004 wrote to memory of 2892	1004	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\b5bbda624d1b8aba4f4f49ac996a27a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b5bbda624d1b8aba4f4f49ac996a27a0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
5afac2c9119ea6edeb4a0f93fbdaaa73

SHA1
11cb5cf7b92b3f537d7af4096da01faa65bf8119

SHA256
8100596c7bf3596e9e293306bcc7d60ed87a3288e38c9783ca5fda3ffd634ffc

SHA512
0eec5b9842ead36e91f94ef82983b75faf2d5ff0d4dae7d09be792496bd84fe813df98c6c9f48d87bef5c4cda443e03ad416c2d85b66c83abbbceb3a05e1d468

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c0abdb045af8262ce1b5a9c33f4aa3fd

SHA1
09f473a68aeceb89f03dcfdda29000ed8ff1b480

SHA256
a62d9f4e0c89abe6ed7117141eafbc8056212f339b34c255ad3d06d0df7e63f3

SHA512
cde3a8b20f2b3b93ce9548f9a610024549f55e1cb6bff4feb520dd724a39b523f46c717096cb10a2e5ca4c0a82a61a54ac510f3a286cecf9205b3f7f5dc1e3a6

Download Submit
memory/368-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download