d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
Size

1.1MB
MD5

52f31d3778e43772770d05902e1637c1
SHA1

40ccc9be592530cea1c34d64b9d161eadb93466b
SHA256

d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a
SHA512

79be60804452e198237c7facf7a4a497d4fa28f0f5c8f04c76169d20d20a1ade50d4843aa6a054577649c60c810b7b6738f33d966b710f203e638879df188673
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q1:acallSllG4ZM7QzMe

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
5040	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
5040	svchcst.exe
3952	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe
5040	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
5040	svchcst.exe
5040	svchcst.exe
3952	svchcst.exe
3952	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 900	2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	87
PID 2100 wrote to memory of 900	2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	87
PID 2100 wrote to memory of 900	2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	87
PID 2100 wrote to memory of 708	2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	88
PID 2100 wrote to memory of 708	2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	88
PID 2100 wrote to memory of 708	2100	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	88
PID 708 wrote to memory of 5040	708	WScript.exe	90
PID 708 wrote to memory of 5040	708	WScript.exe	90
PID 708 wrote to memory of 5040	708	WScript.exe	90
PID 900 wrote to memory of 3952	900	WScript.exe	91
PID 900 wrote to memory of 3952	900	WScript.exe	91
PID 900 wrote to memory of 3952	900	WScript.exe	91

C:\Users\Admin\AppData\Local\Temp\d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
"C:\Users\Admin\AppData\Local\Temp\d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a20b7cc76cedb37372265bff411d2331

SHA1
18839129a1ab5dded7d101bb37abf0a6222b5710

SHA256
b0ec03759cf1a7fbf4c2c9adc97ec68509654e1e376d60dbdfa94fe4392f133d

SHA512
56e7a7a7b8f37d6ddf52df5601eb9305ad3416c1123a5be1f48efdf789e551f9a32fea787c214e446e1564ae15022e2cc95c32b7963f8c9848b3c9d41f2c5979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d240f6000386a18a31c398466c89bd45

SHA1
468dc028fa0d29a34d6adba5fff9012d090b583d

SHA256
54ec562195f7f8f0808c79404965da51a80b4ca44753c1b3486880f7b31f23fc

SHA512
43dca1917575709436bb7cb32b7b6762f81fcc1436be9e443bc376217515abb6d6cf9e7248f8ed476f1e5b21c2505991570a82ff70776111c82e2692004fe1f8

Download Submit
memory/2100-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3952-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3952-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5040-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download