7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62

Analysis

max time kernel
133s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 06:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
Size

1.1MB
MD5

1c11551326f30b4ba47de500a091320b
SHA1

7e568584ff05301f7a0dbefc058bc408c276e952
SHA256

7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62
SHA512

7014dfb646d189ba01180b5005bf4f7616697038686e6add956e399341bd46e7c6077be206e482b1da009bbc4d28609318354462e315017182f4be3a5280b336
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qe:acallSllG4ZM7QzMV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3564	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1980	svchcst.exe
3564	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
1980	svchcst.exe
1980	svchcst.exe
3564	svchcst.exe
3564	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 4756	5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe	87
PID 5064 wrote to memory of 4756	5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe	87
PID 5064 wrote to memory of 4756	5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe	87
PID 5064 wrote to memory of 3436	5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe	86
PID 5064 wrote to memory of 3436	5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe	86
PID 5064 wrote to memory of 3436	5064	7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe	86
PID 3436 wrote to memory of 1980	3436	WScript.exe	94
PID 3436 wrote to memory of 1980	3436	WScript.exe	94
PID 3436 wrote to memory of 1980	3436	WScript.exe	94
PID 4756 wrote to memory of 3564	4756	WScript.exe	95
PID 4756 wrote to memory of 3564	4756	WScript.exe	95
PID 4756 wrote to memory of 3564	4756	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe
"C:\Users\Admin\AppData\Local\Temp\7b14a5d1c7c6a4a0672e94beb311267b261576f0342e5ff8cc071dca161eea62.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0034f2409d90de6ab95f9550e2cd8196

SHA1
23aa2e351e4d5f3fa30521dbf689a435e06d72df

SHA256
0ca094ea0382f13225bd829ca43f8a8eb55f50363a753834d2dadef733e22ffc

SHA512
001d8c1dfc156af29ef1bcd1ad72fa90eb55083d6c21b0079046a02875d7117e353ce4818601386c2178504321ae54cc3f9aefce7b811aa14302295c4ca3819c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eae04a873cd18f2d0c7a37745b5e9124

SHA1
2d1eec98887ef687a596d9e465fcb95606233aa4

SHA256
186bdc9e38065958ad013e6d4a0a5193a30af2dc37c6e9e33d3a33a3d88f3f1b

SHA512
3907078487fe1a72be6ec7458a6a98c012dc50b55eee3d90724adc0da29aa73dbea1434e31b3e0fc06602105901170de9b2ad789e4a28f2a816c387bb8faf9bf

Download Submit
memory/1980-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3564-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3564-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5064-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5064-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download