5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d

Analysis

max time kernel
142s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
Size

1.1MB
MD5

b12d64ca1702cc3948ad16cc66bc710e
SHA1

f5969bfbd9842199f893cba6643ab4d82bd6a230
SHA256

5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d
SHA512

f7de9ac74778ecb244aa5f5e4a3669d4876aff02da8c16c17890d6343d5a94c3c91233cfd3bcd1dd3482df82552fc98803d85c127b8cca79f4ae447c3700daca
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QE:acallSllG4ZM7QzMz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3096	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
3096	svchcst.exe
860	svchcst.exe
64	svchcst.exe
2024	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe
3096	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
3096	svchcst.exe
3096	svchcst.exe
860	svchcst.exe
860	svchcst.exe
2024	svchcst.exe
64	svchcst.exe
2024	svchcst.exe
64	svchcst.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2616	4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe	87
PID 4848 wrote to memory of 2616	4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe	87
PID 4848 wrote to memory of 2616	4848	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe	87
PID 2616 wrote to memory of 3096	2616	WScript.exe	93
PID 2616 wrote to memory of 3096	2616	WScript.exe	93
PID 2616 wrote to memory of 3096	2616	WScript.exe	93
PID 3096 wrote to memory of 3976	3096	svchcst.exe	94
PID 3096 wrote to memory of 3976	3096	svchcst.exe	94
PID 3096 wrote to memory of 3976	3096	svchcst.exe	94
PID 3976 wrote to memory of 860	3976	WScript.exe	98
PID 3976 wrote to memory of 860	3976	WScript.exe	98
PID 3976 wrote to memory of 860	3976	WScript.exe	98
PID 860 wrote to memory of 4368	860	svchcst.exe	100
PID 860 wrote to memory of 4368	860	svchcst.exe	100
PID 860 wrote to memory of 4368	860	svchcst.exe	100
PID 860 wrote to memory of 2128	860	svchcst.exe	99
PID 860 wrote to memory of 2128	860	svchcst.exe	99
PID 860 wrote to memory of 2128	860	svchcst.exe	99
PID 2128 wrote to memory of 64	2128	WScript.exe	102
PID 2128 wrote to memory of 64	2128	WScript.exe	102
PID 2128 wrote to memory of 64	2128	WScript.exe	102
PID 4368 wrote to memory of 2024	4368	WScript.exe	101
PID 4368 wrote to memory of 2024	4368	WScript.exe	101
PID 4368 wrote to memory of 2024	4368	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
"C:\Users\Admin\AppData\Local\Temp\5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:64
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7bd1e062a902c790ba09bfb3f931285e

SHA1
27ea16d7b1d5e844eabcd0ab4d5e40892a9b7e43

SHA256
5c12b2fa325be35f2d7fbdcbe4f0d59a69844f0c3db7595dc5ae15936d2af061

SHA512
2e6870bcaf9fbaf7677e570ef6259dda8951669590eb7eb3415aaa9f6949202d0658484dcb937b9d472843ca46125f3b95ac144267f38f775fcda64e74652863

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e5c2b600d9d473989b1ecc2180963705

SHA1
b50bd9ba4451e73054d8c1400bf1f7f05077bbba

SHA256
aea1382994a9940862f8f7c23696757180ae71fd0df8665c002b39e8767bd512

SHA512
fec2635fdd8d12412c643738fabf5490fbf88b5c937e87293dfbf7910422eabab428f98d23aad8e0800e756aadf2f4398f55a089224f3262ee103c3dc0980281

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c0da6ffb7e82157a7bb186fa4cfdbf60

SHA1
96e6488e3268e016cd064069a694f33ee66cb9bd

SHA256
ba08b47f75bc7b156592278d1cc4ce56c329ad884c7ca75cb2b62d6b85eacd6b

SHA512
d4f1080e3a209698fba2978c64001be28d1bd755f5f3a7101991303c55dbe3067fa985418988eebb076e501dd35adebd8f876aa82c3617e56ee892cb717e2d4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8aa0016c0ca2b07256a376ae16b1177a

SHA1
8c1154cef8e398799ea293c4ab0676bc3a7aaf5d

SHA256
ef0da894acbb1ef26035d42bbc8fb861da9832e3fee9f4bc2fdceefbef1ad88f

SHA512
dd886fa197f614d9c002831abb623c3b6f5cfb60639129161aa4f86121fdd3f08bd875a9c3b826eb0793de2516c071dc23d769f580986cd59913087934e66f6f

Download Submit
memory/64-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/860-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3096-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4848-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4848-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download