89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
Size

1.1MB
MD5

058c96e6ca8a9b4b678af5c0f2d8ee3e
SHA1

6940d9f4e3fcfde303dc3dd6191f66a6e2a100c8
SHA256

89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9
SHA512

9507f130b9de90ce98b110b0c44aa4aa10918c600de408a97ee393475b9b9ccd4711222106246482734fcec2561e52a6758e0c87fb02f97772139a87b6771dca
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMg

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4620	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4620	svchcst.exe
1712	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe
4620	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
4620	svchcst.exe
4620	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3120	1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	85
PID 1904 wrote to memory of 3120	1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	85
PID 1904 wrote to memory of 3120	1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	85
PID 1904 wrote to memory of 4604	1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	86
PID 1904 wrote to memory of 4604	1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	86
PID 1904 wrote to memory of 4604	1904	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	86
PID 3120 wrote to memory of 4620	3120	WScript.exe	94
PID 3120 wrote to memory of 4620	3120	WScript.exe	94
PID 3120 wrote to memory of 4620	3120	WScript.exe	94
PID 4604 wrote to memory of 1712	4604	WScript.exe	95
PID 4604 wrote to memory of 1712	4604	WScript.exe	95
PID 4604 wrote to memory of 1712	4604	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
"C:\Users\Admin\AppData\Local\Temp\89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b947ae9ac24fedabe76c035ca2774d73

SHA1
d7e06642830f3af07b666c315eacd2b57179660f

SHA256
6b39fe85da27b6201a3540c0ee01921364fae4f26669588cbb7f58a9bed6e61c

SHA512
f9c68332dd236508e2a80721ea5ee1f3ea5c32137a4b53cfcbc0c1681eb8df31c67b5e3bfb558b1e68b3693db20c7f2e18276271f7f9a7229d8698c65b4338d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
65f1210ad78ef5e41e42028b0d657be7

SHA1
878bc949e285578cd5a8bba3ddac2e9b097901ba

SHA256
f7190161b5484e60303c7e85b25ae5d1194e8d05e34bd23599345afde0e44f46

SHA512
3062ee68dd65c70cf8cd409c6f55a70875bdf9e8adc25f3448c9644dd1637ee1102e19f15b010af219aa4a104cc9b09151d3a1daafee9568aea170c4c1558387

Download Submit
memory/1712-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1904-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1904-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4620-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4620-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download