5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134

Analysis

max time kernel
12s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
Size

1.1MB
MD5

ce7a8e897f2a56326daad9fca0ae9224
SHA1

15f642d93a416833d810b7b67bf803e5b4623b9e
SHA256

5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134
SHA512

a5f3816484e05f598b1ae23b9e0bae4a47c05eed8b80777d67b105d486c0cdfd9175a0c81587098550f2789360f02b3fd18cc770f0a8144af2de04ebb7ce8fd7
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QN:acallSllG4ZM7QzM2

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1972	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1972	svchcst.exe
2584	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2216	WScript.exe
2120	WScript.exe
2120	WScript.exe
2216	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
1972	svchcst.exe
1972	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2120	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	30
PID 1528 wrote to memory of 2120	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	30
PID 1528 wrote to memory of 2120	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	30
PID 1528 wrote to memory of 2120	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	30
PID 1528 wrote to memory of 2216	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	29
PID 1528 wrote to memory of 2216	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	29
PID 1528 wrote to memory of 2216	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	29
PID 1528 wrote to memory of 2216	1528	5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe	29
PID 2120 wrote to memory of 1972	2120	WScript.exe	33
PID 2120 wrote to memory of 1972	2120	WScript.exe	33
PID 2120 wrote to memory of 1972	2120	WScript.exe	33
PID 2120 wrote to memory of 1972	2120	WScript.exe	33
PID 2216 wrote to memory of 2584	2216	WScript.exe	32
PID 2216 wrote to memory of 2584	2216	WScript.exe	32
PID 2216 wrote to memory of 2584	2216	WScript.exe	32
PID 2216 wrote to memory of 2584	2216	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
"C:\Users\Admin\AppData\Local\Temp\5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
d3ead878c9d1badce5e5a2ffb8489ed6

SHA1
51655e1deea85d1eeb0d62c5a98056c3fdb3dad6

SHA256
ddde6f7d9875123eeb767f03ba2322d35827f628a0cd2570888f467e471bf07d

SHA512
84a3e858402cac2010a07cb2b1da8cdddbcfa9c89754b57ac0a42d10b27466d9d20daed1876c9c78c3c55307791ef81f90ef37c7deb24f64848be1143899a4cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6a304f2bd7a3199cd8d079a7a62d78df

SHA1
c81378731ff7362cdd4f6fd848d6fea9757b9525

SHA256
a73cdd534f66043ff9c2931a6fe65eb53939cc8be05e2e526e037e33035c215a

SHA512
bbba9f9eabb064882b775208a32eb49dfc542b98f9cd6a802c70e6e70c5396b5354659e2a5f9f77464d31e6950c254b450402b6c656ba29e4ad9f9187e2db5fc

Download Submit
memory/1528-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-5-0x0000000003F60000-0x0000000003FD0000-memory.dmp

Filesize
448KB

Download
memory/1528-13-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2120-20-0x00000000054A0000-0x00000000055FF000-memory.dmp

Filesize
1.4MB

Download
memory/2216-19-0x0000000005360000-0x00000000054BF000-memory.dmp

Filesize
1.4MB

Download
memory/2584-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2584-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download