c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
Size

1.1MB
MD5

cfd4a50cb8d9fff4a80a797b7f202f72
SHA1

2ab1519461ea9e659be413b0d1f7ad2dab645f75
SHA256

c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190
SHA512

04ae62d7233908354582921c66734701b1a9f129979821e648c79967f33d288e9939f203adec6c2efc84374fec7a3ed7ade1983aa526e8df1c098f965231a585
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qy:CcaClSFlG4ZM7QzMx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4128	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
4128	svchcst.exe
1208	svchcst.exe
4060	svchcst.exe
5088	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
4128	svchcst.exe
4128	svchcst.exe
1208	svchcst.exe
1208	svchcst.exe
4060	svchcst.exe
4060	svchcst.exe
5088	svchcst.exe
5088	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4148	4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe	86
PID 4440 wrote to memory of 4148	4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe	86
PID 4440 wrote to memory of 4148	4440	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe	86
PID 4148 wrote to memory of 4128	4148	WScript.exe	92
PID 4148 wrote to memory of 4128	4148	WScript.exe	92
PID 4148 wrote to memory of 4128	4148	WScript.exe	92
PID 4128 wrote to memory of 2736	4128	svchcst.exe	93
PID 4128 wrote to memory of 2736	4128	svchcst.exe	93
PID 4128 wrote to memory of 2736	4128	svchcst.exe	93
PID 4128 wrote to memory of 1460	4128	svchcst.exe	94
PID 4128 wrote to memory of 1460	4128	svchcst.exe	94
PID 4128 wrote to memory of 1460	4128	svchcst.exe	94
PID 2736 wrote to memory of 1208	2736	WScript.exe	98
PID 2736 wrote to memory of 1208	2736	WScript.exe	98
PID 2736 wrote to memory of 1208	2736	WScript.exe	98
PID 1208 wrote to memory of 4008	1208	svchcst.exe	100
PID 1208 wrote to memory of 4008	1208	svchcst.exe	100
PID 1208 wrote to memory of 4008	1208	svchcst.exe	100
PID 1208 wrote to memory of 4468	1208	svchcst.exe	99
PID 1208 wrote to memory of 4468	1208	svchcst.exe	99
PID 1208 wrote to memory of 4468	1208	svchcst.exe	99
PID 4008 wrote to memory of 4060	4008	WScript.exe	101
PID 4008 wrote to memory of 4060	4008	WScript.exe	101
PID 4008 wrote to memory of 4060	4008	WScript.exe	101
PID 4468 wrote to memory of 5088	4468	WScript.exe	102
PID 4468 wrote to memory of 5088	4468	WScript.exe	102
PID 4468 wrote to memory of 5088	4468	WScript.exe	102

C:\Users\Admin\AppData\Local\Temp\c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
"C:\Users\Admin\AppData\Local\Temp\c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5088
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4060
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fa3906d7c3faff9438666e81ce6a658d

SHA1
97af326f8c12a197d7cdd92a0efe51bad725dbde

SHA256
e4060e6bb5aa81d682659b173ce85c430e3c4fdeebc1346e157a66c4f6d66e29

SHA512
ec64fa12f86301856966422afb1e675fab69d7a60d4e37b68c6dcc6c278d4a1b70e5c34eb6806b20e88d2c06e8390035df0f69cab5e645ea9a4d8351b746c4a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bb2703f5f161ba1b0081c2cca80be4fd

SHA1
b9e6369b90493492a3eb5e1cdab7d857c1236ad7

SHA256
46b64217bd46ef1c51edf909af1916520bcb51e14577fe324e469ae70054cd98

SHA512
935a21eaef77b39142e71f404cf3e664c22f6036a3e9699ff6f5a59d737010e54a8708da667ec134abe675ee7020039c3d6aefe84dbfaeecbb635cb376d8a1ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
76cff92cb4929a25bded67e44c5ee10a

SHA1
5780a9d99c70155a9baa2d9c03d1cf5b56d60dac

SHA256
f75699b79c87fd03d948e2a8c82d6da95c6f3cb87dcef5bac3034f0ad4ee5102

SHA512
d916473cd2dad9398f7e649d467aed92c78666c986c29502288fc7ee83b495f88efcab64a4e34cb95e9863ba2ed04a308b62aa0910ac35934b74fa9880c38fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
18c4227eb54752d0b38603b8b4053370

SHA1
a7195e93165fb2e43826673838a02964c03e28d6

SHA256
98f2802785ff22a1385347551577273b10bf8f4def56b6de28b1543160484242

SHA512
7140ba6bb676e6551d9b14f6c84738a4f83be728abbbeb0049d8040f08765e22cd45ab39150627bad3f8d986e0b048f02a3f79bffb7914e47e2eceecaef76a04

Download Submit
memory/4440-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download