Analysis
-
max time kernel
136s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 11:53
Static task
static1
Behavioral task
behavioral1
Sample
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
Resource
win10v2004-20240802-en
General
-
Target
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
-
Size
1.1MB
-
MD5
e8196031924f935ff5c0ef93d4a24ab4
-
SHA1
eeb6a3ff13e3e42db0e15c4387dddfdfa0e6b74a
-
SHA256
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d
-
SHA512
6e040cc1591109bf93c4de1497790e25ce35d28bc5db8ab5e7ced8163a639600eb951039ecdaab868bc4b2bd24541fc29cdb16e6507f053a1621e350d248551c
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 3972 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 3972 svchcst.exe 4140 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe 3972 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 3972 svchcst.exe 3972 svchcst.exe 4140 svchcst.exe 4140 svchcst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2652 wrote to memory of 684 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 86 PID 2652 wrote to memory of 684 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 86 PID 2652 wrote to memory of 684 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 86 PID 2652 wrote to memory of 4784 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 87 PID 2652 wrote to memory of 4784 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 87 PID 2652 wrote to memory of 4784 2652 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 87 PID 684 wrote to memory of 3972 684 WScript.exe 94 PID 684 wrote to memory of 3972 684 WScript.exe 94 PID 684 wrote to memory of 3972 684 WScript.exe 94 PID 4784 wrote to memory of 4140 4784 WScript.exe 95 PID 4784 wrote to memory of 4140 4784 WScript.exe 95 PID 4784 wrote to memory of 4140 4784 WScript.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe"C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3972
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4140
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD56cb0d8816aba4227d1339f1fce9eda68
SHA1143d97dca314a0edb735fa4e3f477ba9fba2e0b9
SHA256659418e337ea9d9b0131b9edb1f0092311d374349845a7b37be5c379a4dfc273
SHA512b020e61035025177a11f1f0bf54bd75480db5db6855cd2ba8e7c15b0af563abc3222e9de2b534c5cea0ac4de6f1d55da0abb678943aa345b8e39a7ba7234c81b
-
Filesize
1.1MB
MD596732dbd8e393fcfa752e1a69e06a131
SHA1c958d65a0e8b0359b88b0cd7290720d61d8ce743
SHA256450a349c9ae765bf60c3d1f888bf32466d36b0c575b935495a4fedc8e4978580
SHA512a264a1e3f519878833527d364bb230f0ca2b1062763e3e66cededba30d8ed9f9c919ea1eda0558fefd3c0204356b9353b6adf6eb498be808ed60b28f0fa9f3cd