877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a

Analysis

max time kernel
134s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
Size

1.1MB
MD5

a472034ab1e38c50b3ecdd2f9ba40899
SHA1

bcf111d864f02fe541447d6a9b84eb5850bba6bb
SHA256

877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a
SHA512

fa0701a0917dad6bd61b92002b29ef7dc1af2ce91ecec5e00b73a58b232680917843c435a44fdcf779d411d7abaa23794c33244a1d82f6e52178e74ed5ffbb33
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qr:CcaClSFlG4ZM7QzM8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
648	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1244	svchcst.exe
648	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe
648	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
648	svchcst.exe
648	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3980	2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	85
PID 2764 wrote to memory of 3980	2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	85
PID 2764 wrote to memory of 3980	2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	85
PID 2764 wrote to memory of 3920	2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	84
PID 2764 wrote to memory of 3920	2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	84
PID 2764 wrote to memory of 3920	2764	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	84
PID 3920 wrote to memory of 1244	3920	WScript.exe	94
PID 3920 wrote to memory of 1244	3920	WScript.exe	94
PID 3920 wrote to memory of 1244	3920	WScript.exe	94
PID 3980 wrote to memory of 648	3980	WScript.exe	95
PID 3980 wrote to memory of 648	3980	WScript.exe	95
PID 3980 wrote to memory of 648	3980	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
"C:\Users\Admin\AppData\Local\Temp\877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
063023238f8b23923fd7046ac305e65b

SHA1
149623bf141069d6050adaca0889476b01fb4f6f

SHA256
dee3db9908695130e1e6187090608e58d053c5e14a9b94ec6edc16b2af58d285

SHA512
7d949125b0517cd3a341b2b2ba618af639c24cd029efd66b194675db7646f89c40a8fc39472c0132f3f364c06b433b80608d1e585036b108aa376b6aa54e60f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
91b84e0163039852ef504937b73d1587

SHA1
5c0c75b714cc5068e312f37e214f7e18557f4deb

SHA256
e5acd80218a5705027063bd66c04b550ae3013d8383d3c3b01b60c3241c7282e

SHA512
2d741428b4a94a557d41fdf4b2d217df5eb365091dff0ab2a9bbebdad2895cec16c28e8757e77d04b1bfb4143804b1981c122fd099de29b0d7d4147f35f2b85a

Download Submit
memory/2764-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download