8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
Size

1.1MB
MD5

2a512b481d90e0062bb8d0bc1984bb97
SHA1

05732e7340d6dfe9ae849461c421c3b77cab4a3e
SHA256

8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704
SHA512

861dd67a9f0e49be56dd20ac171eea4bc2db51496fc4effcc1615eecb679c9941541e6dce6eb87217bef7350458f6d0d9d9525321e2efbba743e07b030f279ef
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4884	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4884	svchcst.exe
1848	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe
4884	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
4884	svchcst.exe
4884	svchcst.exe
1848	svchcst.exe
1848	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3344	4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	95
PID 4948 wrote to memory of 3344	4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	95
PID 4948 wrote to memory of 3344	4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	95
PID 4948 wrote to memory of 3372	4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	94
PID 4948 wrote to memory of 3372	4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	94
PID 4948 wrote to memory of 3372	4948	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	94
PID 3344 wrote to memory of 4884	3344	WScript.exe	102
PID 3344 wrote to memory of 4884	3344	WScript.exe	102
PID 3344 wrote to memory of 4884	3344	WScript.exe	102
PID 3372 wrote to memory of 1848	3372	WScript.exe	103
PID 3372 wrote to memory of 1848	3372	WScript.exe	103
PID 3372 wrote to memory of 1848	3372	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
"C:\Users\Admin\AppData\Local\Temp\8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1996,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6162452c04578107708bdaa4632213fc

SHA1
3187bd92101f0aa851d01bd1ea7f546011f52d91

SHA256
63461b9f0405c2243888d5e42ac093497bb200805b7491601f295e26e832aed4

SHA512
12012e06aed2e96c1a120f193bf865c8412f3d3400622afab447d5371f699c3c37b36c4201265ffff5c6b6ba8ac294b0cc2c6a73ea585dad0f238820ca93b70c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d24ce5a5e991d671664bc7d87fadce20

SHA1
1f66e82d22e1300e86954a1bfb34ba417981d98c

SHA256
b0fea46ed9dd08254f1b1ae663f7e0bb43ef0af69c749a17c2b72e8e66c2b8d1

SHA512
0444024693827d3576aaf97e4290004a8c00c151de7e76ec8f85f9e033156ae5af017e43f2bc9eb725c11f37bd175a432c384028372874d9f983bad57a8ac3e8

Download Submit
memory/1848-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1848-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4884-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4948-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4948-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download