2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6

Analysis

max time kernel
138s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
Size

1.1MB
MD5

f95419e378e9b58b0a57a9760337cd15
SHA1

10c96c8ab5de74a51ba55e6b773ef6be36c88c64
SHA256

2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6
SHA512

cb343ff9774f51c2047c5353d118cf00171ac3423ab4b28a82b08f8753d4844893d1a874900c0f84611bea357b12234c490481080cbdb6f5720279627ec3c6d2
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QI:acallSllG4ZM7QzM/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2440	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1172	svchcst.exe
2440	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
2440	svchcst.exe
1172	svchcst.exe
2440	svchcst.exe
1172	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2188	1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe	85
PID 1464 wrote to memory of 2188	1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe	85
PID 1464 wrote to memory of 2188	1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe	85
PID 1464 wrote to memory of 1948	1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe	86
PID 1464 wrote to memory of 1948	1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe	86
PID 1464 wrote to memory of 1948	1464	2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe	86
PID 1948 wrote to memory of 1172	1948	WScript.exe	93
PID 1948 wrote to memory of 1172	1948	WScript.exe	93
PID 1948 wrote to memory of 1172	1948	WScript.exe	93
PID 2188 wrote to memory of 2440	2188	WScript.exe	94
PID 2188 wrote to memory of 2440	2188	WScript.exe	94
PID 2188 wrote to memory of 2440	2188	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe
"C:\Users\Admin\AppData\Local\Temp\2888cf9a98b8568919702da2d1ad6f7a3033bd302e0b1e3ce7f4692687ae01f6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e577f275603e1d76ea594c86621bf619

SHA1
af803e4ac4da35dee319f97fd8be2660bbb8cea8

SHA256
31c2ad6f660ec6321c6b24494f893b697b6280309f8ce009aafffe5ec590e60c

SHA512
27c231026ac089fe582aaf1aa7f14acd06ffbf916096d287dadc28f08a2d6ffdec6b1ce5ae8a7a7d5a2fe43de4937fb1193f9ca9bfdd2382d4c1e8de18845b43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c5ccf333e5bcb7b384165201c6403e83

SHA1
9d308039e6936c3c7875146128ff85b3ba028535

SHA256
4021a35227ee9b4958057b03cfccb1a0ba3200159d6ab2e3d8506ea73395ec75

SHA512
5cbb6c191e6b505ba408c41353696ac019a7f755d63900e3a7f7179a2d74f5cb52bd53fc4e0e1f52c259ea302dfd65ad63b6c0de003db1dddf8ed284d4a7a6de

Download Submit
memory/1172-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download