69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e

Analysis

max time kernel
133s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
Size

1.1MB
MD5

df17538b8f84363f145ee53f01700172
SHA1

50e12728080fb29ef7cc1d59e7862fc682b6e4a1
SHA256

69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e
SHA512

5a682984669f832b29c8e224bfa0b4f1d2f14bb2eb974f5b61db1e645c7f1b15bdc4f8560d0b945b6ea0070215414fc5fd6f0797af13ac28df5f4468034e15e0
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qq:acallSllG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1092	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1092	svchcst.exe
1756	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
1756	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1756	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3776	5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe	88
PID 5052 wrote to memory of 3776	5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe	88
PID 5052 wrote to memory of 3776	5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe	88
PID 5052 wrote to memory of 2896	5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe	89
PID 5052 wrote to memory of 2896	5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe	89
PID 5052 wrote to memory of 2896	5052	69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe	89
PID 2896 wrote to memory of 1756	2896	WScript.exe	94
PID 2896 wrote to memory of 1756	2896	WScript.exe	94
PID 2896 wrote to memory of 1756	2896	WScript.exe	94
PID 3776 wrote to memory of 1092	3776	WScript.exe	95
PID 3776 wrote to memory of 1092	3776	WScript.exe	95
PID 3776 wrote to memory of 1092	3776	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe
"C:\Users\Admin\AppData\Local\Temp\69634499d11191cb16e6f4c0f5c6ed52f6ec6ab25e66566f366f733c8a91fe8e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
45d8a380dac2a49ced88844e6b24f50c

SHA1
7957a35fb14dad10297c13619022e9bfaf2e417e

SHA256
32eb39543747fcad0763ffb5aaec9c66cbd0b59baf5731722ae7eee5952aeeb0

SHA512
9d941949477ca2c41bc4a7a1dad194e2b99171aa96976c94b853d2c53b94b2c7b6a9173b31063bc97383c3e860a632ed0d15465f9b9a86f1ce6153bc6133979b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3abcfd6a79308fd74c31ddef20cad4b4

SHA1
306c74c02d1b667b84f830f603b285bed447edc7

SHA256
a3ea7d44fe6d348aeb08f6ffb9ba11c1c6b937606e6e26cd0a8b5b20618ff0e4

SHA512
6bbfc6955e0fc5096068c27354f3623b7a24bedca5f69cfdd48de6f9553e7b12a3b18882c6f61ed627a7bc34372b4f323252b928fa6eaa2ea5a63e6cbb932b7e

Download Submit
memory/1092-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5052-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5052-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download