2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5

Analysis

max time kernel
144s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
Size

1.1MB
MD5

8e0e0d4d728fab29b9bcfb6641a7eeb8
SHA1

8d91fe969aec8ca54cd660d14899fc8d4d3131ce
SHA256

2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5
SHA512

c0635192adef80e44ce0393b8433a707a1b07d4de67c76ce72243b9f9b502758f7a66dffbe301fef58d685da478fe66f13e4c735166b943a4132c45a67907e1e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qj:acallSllG4ZM7QzMU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4180	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4180	svchcst.exe
4536	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe
4180	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
4180	svchcst.exe
4180	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3952	4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe	86
PID 4272 wrote to memory of 3952	4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe	86
PID 4272 wrote to memory of 3952	4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe	86
PID 4272 wrote to memory of 3164	4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe	87
PID 4272 wrote to memory of 3164	4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe	87
PID 4272 wrote to memory of 3164	4272	2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe	87
PID 3952 wrote to memory of 4536	3952	WScript.exe	91
PID 3952 wrote to memory of 4536	3952	WScript.exe	91
PID 3952 wrote to memory of 4536	3952	WScript.exe	91
PID 3164 wrote to memory of 4180	3164	WScript.exe	92
PID 3164 wrote to memory of 4180	3164	WScript.exe	92
PID 3164 wrote to memory of 4180	3164	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe
"C:\Users\Admin\AppData\Local\Temp\2b186c4506981ff88356fade8614965805c3714a3467b6ae8715ac2d17537bf5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4c75469447715c715f57b95ecd7bedf6

SHA1
0d585c0315bc3c4fd6a7074878fb245db8a5b4fb

SHA256
1d137b7745cb4d3f66d51ea00c94c059560db24b5e3843102c51e0c887efbccb

SHA512
3f8570941e11ee226ca66e7c846cc4ab1822c720d4a138721cf0224c394c656abd8453d2cb75c0183a908ac8f379c3aefa50a612324d680468caaba9c06e5993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c50fbbd0c4245aac3f81fffc2af554f9

SHA1
f872a6834644c2273ad0c466813c51ee32b8a761

SHA256
b1ab4794ee7e3ec5e9d2f39e5faa03ef8f0a96264cf5f5bec553bafeebf09ac5

SHA512
ea439889880912c2067a880db3026971b091f99f0d92f74b44a0d8c2107546f32432b701778bc12e50f7398b8564b7cec98b64c158c36ea290a6e215e5c690fb

Download Submit
memory/4180-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4272-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4272-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4536-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download