f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 05:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
Size

1.1MB
MD5

71745098ee42363d3d18489e6cf47c73
SHA1

cd134c3b2b816f1e6cd4452de63b22b9637f2514
SHA256

f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1
SHA512

b7063ad3580dbc53f465f5cbf26bf3352d3be44600dac7b9151dec7a4f0a7a099aafb5c5df050590964b8a817f11eb5ef806d5b8ec6c934843391342f37b052f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3424	svchcst.exe

Executes dropped EXE 12 IoCs

pid	Process
1676	svchcst.exe
3320	svchcst.exe
1012	svchcst.exe
4396	svchcst.exe
4432	svchcst.exe
4620	svchcst.exe
1808	svchcst.exe
2288	svchcst.exe
2168	svchcst.exe
3424	svchcst.exe
4408	svchcst.exe
4400	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
1676	svchcst.exe
1676	svchcst.exe
3320	svchcst.exe
3320	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
4396	svchcst.exe
4396	svchcst.exe
4432	svchcst.exe
4432	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
1808	svchcst.exe
1808	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
3424	svchcst.exe
3424	svchcst.exe
4408	svchcst.exe
4408	svchcst.exe
4400	svchcst.exe
4400	svchcst.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 3032	784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe	87
PID 784 wrote to memory of 3032	784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe	87
PID 784 wrote to memory of 3032	784	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe	87
PID 3032 wrote to memory of 1676	3032	WScript.exe	89
PID 3032 wrote to memory of 1676	3032	WScript.exe	89
PID 3032 wrote to memory of 1676	3032	WScript.exe	89
PID 3032 wrote to memory of 3320	3032	WScript.exe	90
PID 3032 wrote to memory of 3320	3032	WScript.exe	90
PID 3032 wrote to memory of 3320	3032	WScript.exe	90
PID 3032 wrote to memory of 1012	3032	WScript.exe	93
PID 3032 wrote to memory of 1012	3032	WScript.exe	93
PID 3032 wrote to memory of 1012	3032	WScript.exe	93
PID 3032 wrote to memory of 4396	3032	WScript.exe	94
PID 3032 wrote to memory of 4396	3032	WScript.exe	94
PID 3032 wrote to memory of 4396	3032	WScript.exe	94
PID 3032 wrote to memory of 4432	3032	WScript.exe	96
PID 3032 wrote to memory of 4432	3032	WScript.exe	96
PID 3032 wrote to memory of 4432	3032	WScript.exe	96
PID 3032 wrote to memory of 4620	3032	WScript.exe	97
PID 3032 wrote to memory of 4620	3032	WScript.exe	97
PID 3032 wrote to memory of 4620	3032	WScript.exe	97
PID 3032 wrote to memory of 1808	3032	WScript.exe	98
PID 3032 wrote to memory of 1808	3032	WScript.exe	98
PID 3032 wrote to memory of 1808	3032	WScript.exe	98
PID 3032 wrote to memory of 2288	3032	WScript.exe	99
PID 3032 wrote to memory of 2288	3032	WScript.exe	99
PID 3032 wrote to memory of 2288	3032	WScript.exe	99
PID 3032 wrote to memory of 2168	3032	WScript.exe	101
PID 3032 wrote to memory of 2168	3032	WScript.exe	101
PID 3032 wrote to memory of 2168	3032	WScript.exe	101
PID 3032 wrote to memory of 3424	3032	WScript.exe	102
PID 3032 wrote to memory of 3424	3032	WScript.exe	102
PID 3032 wrote to memory of 3424	3032	WScript.exe	102
PID 3424 wrote to memory of 1408	3424	svchcst.exe	103
PID 3424 wrote to memory of 1408	3424	svchcst.exe	103
PID 3424 wrote to memory of 1408	3424	svchcst.exe	103
PID 3424 wrote to memory of 2352	3424	svchcst.exe	104
PID 3424 wrote to memory of 2352	3424	svchcst.exe	104
PID 3424 wrote to memory of 2352	3424	svchcst.exe	104
PID 2352 wrote to memory of 4400	2352	WScript.exe	107
PID 2352 wrote to memory of 4400	2352	WScript.exe	107
PID 2352 wrote to memory of 4400	2352	WScript.exe	107
PID 1408 wrote to memory of 4408	1408	WScript.exe	108
PID 1408 wrote to memory of 4408	1408	WScript.exe	108
PID 1408 wrote to memory of 4408	1408	WScript.exe	108

C:\Users\Admin\AppData\Local\Temp\f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
"C:\Users\Admin\AppData\Local\Temp\f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3320
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4432
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1808
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2168
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4408
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
66502faede9d85474d80393e1e8f9f04

SHA1
182789761a0b9d0438894350d9fda0a805c14805

SHA256
0db4dbf41ac511a6ed33f7a427a6b18ced4e5677a3c75f00ada8495a25041aa8

SHA512
814c0c7a0441fe16b066369369bc40a680e77e2dbf65d2ca6da0443329b397ef246a8661ded0328770e17245fb24b30c12f44cd947a027a5137488f667ce939c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f7be701e4e37608c036d7f18dd142fb4

SHA1
0e2024615879a6fd3c4056ad6f6676fd3556cb14

SHA256
f11167ce9f293ed5059f195c7bf3570a3d5f25d1e682438fe855f12e65cb2f97

SHA512
c628adc5c618a5b28c44cc54084ce48e8833084a6be06dce8ff508e07360ce92ce95aa51ed5366f369639124f4739990e586127fac21c897f45aa15b12f01154

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6b05910622d4bf730ca147aefa5b6c75

SHA1
4f4a15a7ddefe6f3cfe26336fbfae470382c4f63

SHA256
1c974b78cd49da90672bab32c1f9e12a178a32ea01634c8969a447bc8390600c

SHA512
7aa10696392d58a2bd5e3b66551184c06ba77f5847fd2925503386b8e90a49ddf6c5a55408ec87886e953e869707534ad67883cf1aa7c7490b83e869750c6f46

Download Submit
memory/784-18-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download