Analysis

  • max time kernel
    136s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 11:53

General

  • Target

    af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe

  • Size

    1.1MB

  • MD5

    e8196031924f935ff5c0ef93d4a24ab4

  • SHA1

    eeb6a3ff13e3e42db0e15c4387dddfdfa0e6b74a

  • SHA256

    af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d

  • SHA512

    6e040cc1591109bf93c4de1497790e25ce35d28bc5db8ab5e7ced8163a639600eb951039ecdaab868bc4b2bd24541fc29cdb16e6507f053a1621e350d248551c

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
    "C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3972
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4140

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          753B

          MD5

          6cb0d8816aba4227d1339f1fce9eda68

          SHA1

          143d97dca314a0edb735fa4e3f477ba9fba2e0b9

          SHA256

          659418e337ea9d9b0131b9edb1f0092311d374349845a7b37be5c379a4dfc273

          SHA512

          b020e61035025177a11f1f0bf54bd75480db5db6855cd2ba8e7c15b0af563abc3222e9de2b534c5cea0ac4de6f1d55da0abb678943aa345b8e39a7ba7234c81b

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          96732dbd8e393fcfa752e1a69e06a131

          SHA1

          c958d65a0e8b0359b88b0cd7290720d61d8ce743

          SHA256

          450a349c9ae765bf60c3d1f888bf32466d36b0c575b935495a4fedc8e4978580

          SHA512

          a264a1e3f519878833527d364bb230f0ca2b1062763e3e66cededba30d8ed9f9c919ea1eda0558fefd3c0204356b9353b6adf6eb498be808ed60b28f0fa9f3cd

        • memory/2652-0-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2652-12-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3972-17-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/4140-16-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB