346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
Size

1.1MB
MD5

2e78ab335c72ac2c7c0eb6215a70960a
SHA1

286fe6644c9ac68df13303cf9a165ac37c755f9a
SHA256

346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421
SHA512

7a5297bdc9fccd5e3368570baa9915bad928b7e688e9751e952dd03db05ee735757a74bb0a98b31544cfa8cd0652e1ec6a3739fc543e3a33b726860d1353a35e
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMI

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3144	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3144	svchcst.exe
3304	svchcst.exe
2992	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe
3144	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
3144	svchcst.exe
3144	svchcst.exe
3304	svchcst.exe
3304	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 1584	3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	86
PID 3288 wrote to memory of 1584	3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	86
PID 3288 wrote to memory of 1584	3288	346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe	86
PID 1584 wrote to memory of 3144	1584	WScript.exe	93
PID 1584 wrote to memory of 3144	1584	WScript.exe	93
PID 1584 wrote to memory of 3144	1584	WScript.exe	93
PID 3144 wrote to memory of 3876	3144	svchcst.exe	94
PID 3144 wrote to memory of 3876	3144	svchcst.exe	94
PID 3144 wrote to memory of 3876	3144	svchcst.exe	94
PID 3144 wrote to memory of 3336	3144	svchcst.exe	95
PID 3144 wrote to memory of 3336	3144	svchcst.exe	95
PID 3144 wrote to memory of 3336	3144	svchcst.exe	95
PID 3336 wrote to memory of 3304	3336	WScript.exe	98
PID 3336 wrote to memory of 3304	3336	WScript.exe	98
PID 3336 wrote to memory of 3304	3336	WScript.exe	98
PID 3876 wrote to memory of 2992	3876	WScript.exe	99
PID 3876 wrote to memory of 2992	3876	WScript.exe	99
PID 3876 wrote to memory of 2992	3876	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe
"C:\Users\Admin\AppData\Local\Temp\346ad47da9490d7fda48474042d2e30a8a7c9c72beb19957cababaa0fd2a1421.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7b31c1376a26a51a55e0b1d295797d2d

SHA1
d6806e7122a56ad32c296ecccf206d6c9db533d4

SHA256
39c3fac7fcbabf7fb7bc71306b39679e8d187e56166f98ea1ce4f6585c02812e

SHA512
655fc884ca9b6b13b148dae3b4965cd27be88248a43182297b06a7759246a37722df0ffbdc0d7c0811d7af78c5308bb9edd16dd64b2a9666cfe6a0db9e1b146a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2415b6a024d5bbb7aed06a97487f763c

SHA1
ab99b86f8b21362523e24c5ffc53109815559dae

SHA256
333330ecbada8f218f6ebf3f41fe78adae8c1e548e63970cfabae8f68239c725

SHA512
1d41dc3c781549bf9398e3753f1a9e10de88fc70085649d92c7d1ceac8fc44f156b4a9414a4b324d5733e82821ef2565ae69fe512e7037a6ff581060f48b300b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8512135f800dd16dd29d31ceed391216

SHA1
423a7b1a23cc6f1824dbb52380fa9baae1f8472f

SHA256
274cdd9032d1f83b18810de8064437b28d3e37d27743bfec150c589bb064a93a

SHA512
b5d63afd0ae243821f397570ec30f45f8f2465d4e59d7d67585c3e9b3fabebb9f59e383c5e16e1ac6e5b5f8c3d132b32089f4e1201735e06045f437a4b186a6b

Download Submit
memory/3288-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download