b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92

Analysis

max time kernel
143s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
Size

1.1MB
MD5

daf15c06d86beb529d7c885ef1167988
SHA1

153793f870c13371173b4111fd9ecb7b1164ecab
SHA256

b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92
SHA512

b1ee38c0dc48a9612e235b1edeb21891953bf1db51f8a0f29522568885f68e9824b2bf8c3e7e6727d0025a227ab602c6e61bb8615e977408519a1aa9bea7fa7d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzMb

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3248	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3248	svchcst.exe
4736	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe
3248	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
3248	svchcst.exe
3248	svchcst.exe
4736	svchcst.exe
4736	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3296	4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	86
PID 4716 wrote to memory of 3296	4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	86
PID 4716 wrote to memory of 3296	4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	86
PID 4716 wrote to memory of 4624	4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	87
PID 4716 wrote to memory of 4624	4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	87
PID 4716 wrote to memory of 4624	4716	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	87
PID 4624 wrote to memory of 4736	4624	WScript.exe	94
PID 4624 wrote to memory of 4736	4624	WScript.exe	94
PID 4624 wrote to memory of 4736	4624	WScript.exe	94
PID 3296 wrote to memory of 3248	3296	WScript.exe	95
PID 3296 wrote to memory of 3248	3296	WScript.exe	95
PID 3296 wrote to memory of 3248	3296	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
"C:\Users\Admin\AppData\Local\Temp\b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
68a471a4343d43429ae3a3a18f63aa6b

SHA1
0ff589f08ce72127f9e1b94e61a1b5aeaaa1b77a

SHA256
878952c21c1a4bc99e9f20429d8768ff775f63482f72a81d3610d9023a2e71d8

SHA512
8a428938230c5e4f386f4f06c07ed73384cd990089e6c80809bcadd8ce9679653f0d561da47537eb7490f30e15d879739276ad8ead0d05217aae887b7ea5e47f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
abb5e897ce99841fd4ac2fb097c03f19

SHA1
90ce2a2a4bd7cadc3cd3a4f18a189cd21e26f108

SHA256
ae7838a99beecdd0be2deedcf9f6fded81334a0f0e5d7c5f1fa9fdd7035e66a4

SHA512
c16f9a1f7c8273d0830588383612f791571d41e22e9c29555c00882ee449858ab175cc64f7b355c633532021bcca5e1547061e7b846b8141b22bf2a08cd7e356

Download Submit
memory/3248-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4716-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4716-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4736-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download