346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
Size

1.1MB
MD5

2e78ab335c72ac2c7c0eb6215a70960a
SHA1

286fe6644c9ac68df13303cf9a165ac37c755f9a
SHA256

346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421
SHA512

7a5297bdc9fccd5e3368570baa9915bad928b7e688e9751e952dd03db05ee735757a74bb0a98b31544cfa8cd0652e1ec6a3739fc543e3a33b726860d1353a35e
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMI

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
816	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
816	svchcst.exe
1492	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2616	WScript.exe
2616	WScript.exe
2700	WScript.exe
2700	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe
816	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
816	svchcst.exe
816	svchcst.exe
1492	svchcst.exe
1492	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2616	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	31
PID 2156 wrote to memory of 2616	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	31
PID 2156 wrote to memory of 2616	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	31
PID 2156 wrote to memory of 2616	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	31
PID 2156 wrote to memory of 2700	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	30
PID 2156 wrote to memory of 2700	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	30
PID 2156 wrote to memory of 2700	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	30
PID 2156 wrote to memory of 2700	2156	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	30
PID 2616 wrote to memory of 1492	2616	WScript.exe	33
PID 2616 wrote to memory of 1492	2616	WScript.exe	33
PID 2616 wrote to memory of 1492	2616	WScript.exe	33
PID 2616 wrote to memory of 1492	2616	WScript.exe	33
PID 2700 wrote to memory of 816	2700	WScript.exe	34
PID 2700 wrote to memory of 816	2700	WScript.exe	34
PID 2700 wrote to memory of 816	2700	WScript.exe	34
PID 2700 wrote to memory of 816	2700	WScript.exe	34

C:\Users\Admin\AppData\Local\Temp\346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
"C:\Users\Admin\AppData\Local\Temp\346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ddc0bf4e7ccc8e85a9316271f176c9a4

SHA1
3a1c4cd280630668eae099de2204719faa85f30a

SHA256
2b3b22a7193a58dc3304dfab0c790e40e06a0cbc4cb5bbf4844919c45fdfc690

SHA512
c472c90c7cff125c761d4b7b9c34610e6717254b6ab30f0fe1177628f463230a8cb5f39b9ea84b3f7249ddfbd10c83b358804288abcfe414602d1d9f5abcf400

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1f234631ce29e3b542d79f6896f33b35

SHA1
e78564e1f2f1bd496c1689effb934585503cb287

SHA256
07c0f7a4f1fa572b334fe4ed06eaa303e2099bc72051a63b1e79eac8c4b2c363

SHA512
eaf848fc6e77cf9050f1b7352f49156366e6a7a7e30a0fc61547d47a7a5083717c7b25bdeb5626c67e671af540f430fe25c38272c406c0d0416b0089a1928510

Download Submit
memory/2156-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download