7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a

Analysis

max time kernel
137s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
Size

1.1MB
MD5

020b64731738ae8db8476623695a59fe
SHA1

8b2f091cea62b94f94cc8653844561f9477dc92b
SHA256

7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a
SHA512

68dbfe544b9c375a3eda39a5fcc194f8e76c655c05d7f13c437fa17f529a76f6cc0ff0ae9d06930377abee2bfefc30a37f4cb86e333da82a0b3e8a7a29e163cd
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QQ:CcaClSFlG4ZM7QzMH

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1124	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
1124	svchcst.exe
3352	svchcst.exe
2980	svchcst.exe
4472	svchcst.exe
1196	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
1124	svchcst.exe
1124	svchcst.exe
3352	svchcst.exe
3352	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
4472	svchcst.exe
4472	svchcst.exe
1196	svchcst.exe
1196	svchcst.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 2140	3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe	89
PID 3220 wrote to memory of 2140	3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe	89
PID 3220 wrote to memory of 2140	3220	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe	89
PID 2140 wrote to memory of 1124	2140	WScript.exe	95
PID 2140 wrote to memory of 1124	2140	WScript.exe	95
PID 2140 wrote to memory of 1124	2140	WScript.exe	95
PID 1124 wrote to memory of 2420	1124	svchcst.exe	96
PID 1124 wrote to memory of 2420	1124	svchcst.exe	96
PID 1124 wrote to memory of 2420	1124	svchcst.exe	96
PID 1124 wrote to memory of 4364	1124	svchcst.exe	97
PID 1124 wrote to memory of 4364	1124	svchcst.exe	97
PID 1124 wrote to memory of 4364	1124	svchcst.exe	97
PID 4364 wrote to memory of 3352	4364	WScript.exe	100
PID 4364 wrote to memory of 3352	4364	WScript.exe	100
PID 4364 wrote to memory of 3352	4364	WScript.exe	100
PID 3352 wrote to memory of 4436	3352	svchcst.exe	101
PID 3352 wrote to memory of 4436	3352	svchcst.exe	101
PID 3352 wrote to memory of 4436	3352	svchcst.exe	101
PID 3352 wrote to memory of 4764	3352	svchcst.exe	102
PID 3352 wrote to memory of 4764	3352	svchcst.exe	102
PID 3352 wrote to memory of 4764	3352	svchcst.exe	102
PID 4764 wrote to memory of 2980	4764	WScript.exe	103
PID 4764 wrote to memory of 2980	4764	WScript.exe	103
PID 4764 wrote to memory of 2980	4764	WScript.exe	103
PID 2980 wrote to memory of 4860	2980	svchcst.exe	104
PID 2980 wrote to memory of 4860	2980	svchcst.exe	104
PID 2980 wrote to memory of 4860	2980	svchcst.exe	104
PID 2980 wrote to memory of 2452	2980	svchcst.exe	105
PID 2980 wrote to memory of 2452	2980	svchcst.exe	105
PID 2980 wrote to memory of 2452	2980	svchcst.exe	105
PID 2452 wrote to memory of 4472	2452	WScript.exe	106
PID 2452 wrote to memory of 4472	2452	WScript.exe	106
PID 2452 wrote to memory of 4472	2452	WScript.exe	106
PID 4860 wrote to memory of 1196	4860	WScript.exe	107
PID 4860 wrote to memory of 1196	4860	WScript.exe	107
PID 4860 wrote to memory of 1196	4860	WScript.exe	107

C:\Users\Admin\AppData\Local\Temp\7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
"C:\Users\Admin\AppData\Local\Temp\7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2420
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a63e6bbe8a6397049c47dbceedf217b5

SHA1
deaaa75b2ff38fe798489bd8d72995a0c445bf75

SHA256
ae6fb3423c7244eedf7ddf1addace5064c3ab6555a07affd8741534c00c89860

SHA512
a4e8d0193db8c55b0d0cc6f204cdee21402959e17333b54a9336716d89fa7ace73cb023d925dc5e8d3b926353fa17c94be4b78fe732e91def70473fbeef1f71b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4912ce399e6359c20986a2b1ae06f776

SHA1
61723df9c450daf5b687ff5db03a7533b670f70d

SHA256
e0ac817421db630f63a333595d6490b2cfbfa86414025d979b00cf794f4a5d86

SHA512
f2b8d1ff6fc73da11059ff9314b467455096dc2d8cfa48ae063cf614521389886563b520053896559a6133497cd8bdc7a436c67ed1352d2afd5861cd6c85948f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a20fc1e392f81cc1952652ca91d40a49

SHA1
2f487395b7cdcac20565479ca698f1d6894fb91a

SHA256
7fed1ac8f1c7ed54cc7b7e9cb25dd56ef01520da5c704cb3bbd049e4d975e033

SHA512
f9fd0e34c69c194fcd06c1e57f83dd530b78733ecd2dd824fa0041e796dc3abc52489872c25e63962f01fc4e81c508fc2e64d715aba63af9c1cd681650b981a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c7b8d0dd2e79830a7df28e8b195b1f59

SHA1
572d771ae0874e590eb6a32fa83865540d1305d7

SHA256
8d304595194537d3c5a042d4013432c026d06d6e140f453d179799af258a061c

SHA512
c053716502d95118ba5e51ecd9a2cef5dbf0795560cdcc08843d7d697ead6427b5b01fc71ef7fc924db40ea15ec337cfd1ec8cd936a05486a10d87c394db50cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
526a244c8338debb9e0b02201c053a89

SHA1
6a4c3abeead0032139bd1cba3e436afa633c5c86

SHA256
756d7f0f1b7f12e7c1847122a9fdb003d6c46c2710f70610fb1128f1ccfcb4bc

SHA512
0d524ee091d12e2d23cb3d303bf2479c9a49c5fee734f2a4a3764d6a401c0391b1fff1d254dadb141f78cd3369ad50c6e84ef32586243109e6bbb0a821d1fdad

Download Submit
memory/3220-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download