Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-08-2024 10:37
General
-
Target
c9e25fe3c419bb6cdba99a81661bf27684813ad62c89a4d41521486054a8011e.exe
-
Size
1.1MB
-
MD5
9fc6d40f9933b0bc3f835969cf42ac4b
-
SHA1
1b7dc990563ba982d29ea5334375e37c3af45794
-
SHA256
c9e25fe3c419bb6cdba99a81661bf27684813ad62c89a4d41521486054a8011e
-
SHA512
0371314b47b5362d5373a2ec5da0462e2b01148fc15df72f2243d95feda72ae2326e45654d57646a76a97b9af52a96c7a3aac40e522e01999e1a38b34b367349
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qk:CcaClSFlG4ZM7QzMz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9e25fe3c419bb6cdba99a81661bf27684813ad62c89a4d41521486054a8011e.exe"C:\Users\Admin\AppData\Local\Temp\c9e25fe3c419bb6cdba99a81661bf27684813ad62c89a4d41521486054a8011e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD5d931756d7defc454060f5517c1ad9b5c
SHA10b1715cd4b9bfa340bd599749837e29ba0943a1b
SHA2565064fe3fc4dbf7c4f77cb3328a13381e5d4dd7f71a24b2d223379ec6d1439311
SHA5125d7d9d6da4e5aec93e71240518d5f24dd9065ae64bc9d8541fa92fdfc367ac147122864f1ecfff9b79c550cea26f020a690a65e43056716d4744b99d35ab4cfa
-
Filesize
1.1MB
MD5edbac60eb0f2f0c4a7242a6b4654ddfe
SHA17f31388227e135a7e9f41deb8b3f0b36a64d1eef
SHA25656d5604dec79393fa65fb7c4927f6fd8719f218889b556c630ef866602c060d0
SHA5128b726a53392a49232250d4a27970b45790d6d985a976f1510b56f155b409057c635b21946bb618d7ba12cb12c56467082fe075afcf742d5d78c8d37fce43d7da
-
Filesize
1.3MB