Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 19:34

General

  • Target

    2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe

  • Size

    1.1MB

  • MD5

    8e0e0d4d728fab29b9bcfb6641a7eeb8

  • SHA1

    8d91fe969aec8ca54cd660d14899fc8d4d3131ce

  • SHA256

    2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5

  • SHA512

    c0635192adef80e44ce0393b8433a707a1b07d4de67c76ce72243b9f9b502758f7a66dffbe301fef58d685da478fe66f13e4c735166b943a4132c45a67907e1e

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qj:acallSllG4ZM7QzMU

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
    "C:\Users\Admin\AppData\Local\Temp\2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4536
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    4c75469447715c715f57b95ecd7bedf6

    SHA1

    0d585c0315bc3c4fd6a7074878fb245db8a5b4fb

    SHA256

    1d137b7745cb4d3f66d51ea00c94c059560db24b5e3843102c51e0c887efbccb

    SHA512

    3f8570941e11ee226ca66e7c846cc4ab1822c720d4a138721cf0224c394c656abd8453d2cb75c0183a908ac8f379c3aefa50a612324d680468caaba9c06e5993

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    c50fbbd0c4245aac3f81fffc2af554f9

    SHA1

    f872a6834644c2273ad0c466813c51ee32b8a761

    SHA256

    b1ab4794ee7e3ec5e9d2f39e5faa03ef8f0a96264cf5f5bec553bafeebf09ac5

    SHA512

    ea439889880912c2067a880db3026971b091f99f0d92f74b44a0d8c2107546f32432b701778bc12e50f7398b8564b7cec98b64c158c36ea290a6e215e5c690fb

  • memory/4180-17-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4272-0-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4272-12-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4536-16-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB