afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53

Analysis

max time kernel
135s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
Size

1.1MB
MD5

095e22f30a3ea2e6d72e9cf795726a39
SHA1

989eea2102e9239c7c58f094cbef41a4108bcb4f
SHA256

afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53
SHA512

d2c5b28c615b18cafd90e42c12ab50ea72faf00cc296f643fbb6a7328228cb86380018c45f50bb7e80c9e5dbc21856cb6da6d9fef57153d865112f60d4446051
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QD:acallSllG4ZM7QzMU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4732	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4732	svchcst.exe
4472	svchcst.exe
3100	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe
4732	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
4732	svchcst.exe
4732	svchcst.exe
4472	svchcst.exe
4472	svchcst.exe
3100	svchcst.exe
3100	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2884	5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe	87
PID 5080 wrote to memory of 2884	5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe	87
PID 5080 wrote to memory of 2884	5080	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe	87
PID 2884 wrote to memory of 4732	2884	WScript.exe	93
PID 2884 wrote to memory of 4732	2884	WScript.exe	93
PID 2884 wrote to memory of 4732	2884	WScript.exe	93
PID 4732 wrote to memory of 972	4732	svchcst.exe	96
PID 4732 wrote to memory of 972	4732	svchcst.exe	96
PID 4732 wrote to memory of 972	4732	svchcst.exe	96
PID 4732 wrote to memory of 5068	4732	svchcst.exe	97
PID 4732 wrote to memory of 5068	4732	svchcst.exe	97
PID 4732 wrote to memory of 5068	4732	svchcst.exe	97
PID 5068 wrote to memory of 4472	5068	WScript.exe	98
PID 5068 wrote to memory of 4472	5068	WScript.exe	98
PID 5068 wrote to memory of 4472	5068	WScript.exe	98
PID 972 wrote to memory of 3100	972	WScript.exe	99
PID 972 wrote to memory of 3100	972	WScript.exe	99
PID 972 wrote to memory of 3100	972	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
"C:\Users\Admin\AppData\Local\Temp\afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3100
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
23171c40bf484035ab7986d5fa3514e4

SHA1
c666bfea955f3d3d66352ee1680349eb249ac240

SHA256
b1102d120e22027aa8a444e13e8cb0b1fad447cc7f2fd56e5bca28e80214993a

SHA512
104202986f39e884864e68143c36210a179daa2f429074e884be15062b1e0fff713f8a55a95ed85af931682cc6d62182fadcc91476ca6129a6769089a8698491

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
37e702d6cc77ea63beee1cd3c8d531bb

SHA1
667308d915c83166b384659d8c3fc48dd7edf773

SHA256
ce93c1b28c9f0af9443a4ac5e94e141e4f74491f3b71c4aaa35f220039e9ac89

SHA512
3588e62430bc88681858efe081367fa72e42fbf384b12d1c716d8688b6a618a40c30edfc77177d8ea76f6e41dc254422e26265920edb258ff4b7548e8ea7042a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1578ce373fc88bd0a9810fc0b0281310

SHA1
87215ab267296d5b9af5658a9b7931eb268e61c0

SHA256
f1b56060fd2cf79fcd3434f709961373767cf9bbf5194395f691fa9d4c605862

SHA512
dd8e643faf5d0a26b012edcdb0e17ddaf4d501eb66596bdbc3ad2dced13622d591f60fd41d6e8eb0ac5fd20bced0a536007e2e86a2854ec7c7c6ca8bdcfa9e37

Download Submit
memory/3100-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3100-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4472-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4732-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5080-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5080-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download