Analysis

  • max time kernel
    135s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 12:14

General

  • Target

    896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe

  • Size

    1.1MB

  • MD5

    330db759660bd928ed72b46a357590f8

  • SHA1

    504931920bd285359cf085b1ba64bf22562b7113

  • SHA256

    896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e

  • SHA512

    333bfc4af7c11afccbd23aef9dee1d7af57a7d90c98afb26db34b70eefce5786ada010076826bbf944ca4aee0df1fd2af5280117f0e699e2ba2afbbbd18ab854

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qu:CcaClSFlG4ZM7QzM1

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe
    "C:\Users\Admin\AppData\Local\Temp\896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4388
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1036
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1464
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4764
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    a190bb948e180cb61d93d3c2bc24012e

    SHA1

    70d446a96aaa21f0d7ced2c5de3656aa7b1d8304

    SHA256

    6093e9d7e33ccdfacd0d556373f7a392ec7c10baf48bd5f0d6ee5c23aec436db

    SHA512

    3d858c3ab2e0cd105c83e80a1c03da81e3cce559ee2772941f7dd6a3039269225adb6ed0d6f5f001dacbab99671265c09d3f6a14d88120f50af1f7f7543d8c0d

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    1a94fff9bade36e4d067e0fcefb1a8f5

    SHA1

    1713c3fc499a56cd97035e44405e0b5e1a0a586b

    SHA256

    1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

    SHA512

    89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    da8cf640b6e4bc8156b5a3858088dc01

    SHA1

    8a9b4cd0be7c65e732fb506dc46b1901674c2a53

    SHA256

    f391d30b892c14f8140ad289e023f1cf0358d25e3f26e5a823ca96540f348c62

    SHA512

    13b793c7cf3722a7f0470840106f429cf6f16a9517b4ae0030b0b84d1ed7c67a87c0ab6e9f8e29d1f249a09638e6e09d3e738e18223d1c7291bca1ed90f6012f

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    1cf9c499c8e94ddc6c5d0198b738686f

    SHA1

    a93077602ff508bdff7adeaa842bb81cbc7fc51b

    SHA256

    9cf45cd1e4860f1a38c2335b34d8bacae45cd73360ef1fa7fd96c85a64797552

    SHA512

    a3e4b4026e83c71e7573f4456b5b5b60928498df06b5a7c7fa829c9a168855a4f3e45793e9baaf6678f0c343c70ffda5d2795c4696cd58bde002142e83a6399d

  • memory/1892-10-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB