406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
Size

1.1MB
MD5

a231fdacca5fbf8e23d88bef82512791
SHA1

face1502dc72dba4aa55edcb2d91aa27fe20baf0
SHA256

406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec
SHA512

4b63b2038ebccaddb6dbce645520d515f2e1d6f7182f3391f84d25aed38adad9135542797de2559085e102d8250e5affc2d4f1b70bc260ab3ba9d9c3412b67a6
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qt:acallSllG4ZM7QzMG

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe

Deletes itself 1 IoCs

pid	Process
540	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
540	svchcst.exe
4448	svchcst.exe
3896	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe
540	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
540	svchcst.exe
540	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
3896	svchcst.exe
3896	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 5108	4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe	87
PID 4024 wrote to memory of 5108	4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe	87
PID 4024 wrote to memory of 5108	4024	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe	87
PID 5108 wrote to memory of 540	5108	WScript.exe	93
PID 5108 wrote to memory of 540	5108	WScript.exe	93
PID 5108 wrote to memory of 540	5108	WScript.exe	93
PID 540 wrote to memory of 1988	540	svchcst.exe	94
PID 540 wrote to memory of 1988	540	svchcst.exe	94
PID 540 wrote to memory of 1988	540	svchcst.exe	94
PID 540 wrote to memory of 2512	540	svchcst.exe	95
PID 540 wrote to memory of 2512	540	svchcst.exe	95
PID 540 wrote to memory of 2512	540	svchcst.exe	95
PID 1988 wrote to memory of 4448	1988	WScript.exe	98
PID 1988 wrote to memory of 4448	1988	WScript.exe	98
PID 1988 wrote to memory of 4448	1988	WScript.exe	98
PID 2512 wrote to memory of 3896	2512	WScript.exe	99
PID 2512 wrote to memory of 3896	2512	WScript.exe	99
PID 2512 wrote to memory of 3896	2512	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
"C:\Users\Admin\AppData\Local\Temp\406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4448
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2dea0a7299bfde29801ce1d293856339

SHA1
799f11669a902cd5d134f7a4a4307b2226428480

SHA256
b036613cffde5a849a3519df51486fc4b93b373ed2484677445fb2a800dddcec

SHA512
fd46b868ec2cc7e3d9e4f71f4badc1273b11651ba957ca8176a49d126ed4832515b6b3d2b9127bf950af61e874aad808781dec7f8f3c948af26179d419d94c0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c70bbf3b4d76696cf13ced930a2fa9bd

SHA1
67c53a3cf3982afb7cdcecc3753237a1823cf7df

SHA256
33c4fe1d4342aa079772be5e6e9a08691883ec997c6b1a0b5f574eb4d19742c3

SHA512
67426c21d6e7dc0385488a1a62180d4ff930025dde4fee45518258b450e6440a7c16594f7382cf922ff23908bc482ca7f85b9646a018024b2cce5c6c9e348ec3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c02352d484098482c7efdf0b20d3d7e5

SHA1
2eb887b33bce967d540d057706c2a6c2ee772f9b

SHA256
d552d2485a4b75acb6e7604c017d17c2a5f2f6ca3c9d073e4dbceb08d390b113

SHA512
9061b3bfd35b7952ba44871fd1365fbb3a56a1ccd7233385bda8af3d2b4e21e62f8da7bb1f9e3c60cb52c2a496172fa34c2d95b99be0fb745f91b02ad7df7a7e

Download Submit
memory/540-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3896-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3896-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4024-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4024-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4448-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4448-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download