2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656

Analysis

max time kernel
133s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
Size

1.1MB
MD5

a127ddb85b63506bb93d0cad7d62c09a
SHA1

7a1f5c4ca5ae1437904db6f2f5db8ee9182293cb
SHA256

2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656
SHA512

82c5f9510bed4c3e40875d4f1a9a7b7dd2ee3acd69b3d4bbf7f84f3f870ae8d100046326fa57645ab4ee1f50557986a4c8047444951cb824396b7f960ad58fda
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q0:acallSllG4ZM7QzMD

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe

Deletes itself 1 IoCs

pid	Process
3712	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3712	svchcst.exe
4072	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe
3712	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
3712	svchcst.exe
3712	svchcst.exe
4072	svchcst.exe
4072	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 4044	3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe	93
PID 3960 wrote to memory of 4044	3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe	93
PID 3960 wrote to memory of 4044	3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe	93
PID 3960 wrote to memory of 3340	3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe	94
PID 3960 wrote to memory of 3340	3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe	94
PID 3960 wrote to memory of 3340	3960	2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe	94
PID 4044 wrote to memory of 3712	4044	WScript.exe	98
PID 4044 wrote to memory of 3712	4044	WScript.exe	98
PID 4044 wrote to memory of 3712	4044	WScript.exe	98
PID 3340 wrote to memory of 4072	3340	WScript.exe	99
PID 3340 wrote to memory of 4072	3340	WScript.exe	99
PID 3340 wrote to memory of 4072	3340	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe
"C:\Users\Admin\AppData\Local\Temp\2d94f052e9869431123ed3828de5d79c7b0bedadaf588a717a7246edb3753656.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3db7034e3ea40056616e68d8fc6267c3

SHA1
23160b0a946ce99277f8034bd3cb7ad5c45491a4

SHA256
690541d18520c58b6b9a6b7f2b42dec54789983456511d1cf00ed6b6cdf14bed

SHA512
ea5cc6c0eb18d7c011ebc1663101785cb9bfbc437de833ace35ca71de673f7079a615edc1c359cf32d41b2ee72d30fad934366cec801be1ad4c9480922bc3bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
00fda54a024cc9d9b59d0922fbde1868

SHA1
aac12e0bde54c136a556b8b7b8678d36202ceac9

SHA256
0f24d5ec1d9f7f8700ca09d8afb73368e01a5cfec98de658d5a3653cb90be64d

SHA512
febaa24497d5bab7d53634afc42fc32480484d1b989f5c5bc14d39f63cdbbd16a29cbf63f1ba2a225726192a5fba1199d1756902d334c652d1694b9a412c98ed

Download Submit
memory/3712-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3960-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3960-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4072-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download