d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb

Analysis

max time kernel
129s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
Size

1.1MB
MD5

b8a1a428ccfa4ebf953ad2e49702f6d8
SHA1

280af5ae751560e7a3076dbba4a39b27cea8ec32
SHA256

d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb
SHA512

88239aded0cc7fb5833e4118730966345b37c451a8ec272d3e580253b1bbcad21eab8eaa2165d9b3530cb85e832f492b18ebf1f4e0f2789354d28652a65fabf1
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qa:acallSllG4ZM7QzMZ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe

Deletes itself 1 IoCs

pid	Process
2628	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2628	svchcst.exe
1596	svchcst.exe
2988	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
2628	svchcst.exe
2628	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3800	2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe	89
PID 2508 wrote to memory of 3800	2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe	89
PID 2508 wrote to memory of 3800	2508	d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe	89
PID 3800 wrote to memory of 2628	3800	WScript.exe	96
PID 3800 wrote to memory of 2628	3800	WScript.exe	96
PID 3800 wrote to memory of 2628	3800	WScript.exe	96
PID 2628 wrote to memory of 4868	2628	svchcst.exe	97
PID 2628 wrote to memory of 4868	2628	svchcst.exe	97
PID 2628 wrote to memory of 4868	2628	svchcst.exe	97
PID 2628 wrote to memory of 336	2628	svchcst.exe	98
PID 2628 wrote to memory of 336	2628	svchcst.exe	98
PID 2628 wrote to memory of 336	2628	svchcst.exe	98
PID 336 wrote to memory of 1596	336	WScript.exe	101
PID 336 wrote to memory of 1596	336	WScript.exe	101
PID 336 wrote to memory of 1596	336	WScript.exe	101
PID 4868 wrote to memory of 2988	4868	WScript.exe	102
PID 4868 wrote to memory of 2988	4868	WScript.exe	102
PID 4868 wrote to memory of 2988	4868	WScript.exe	102

C:\Users\Admin\AppData\Local\Temp\d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe
"C:\Users\Admin\AppData\Local\Temp\d37d6e8eee328ef3925b10fb62706a1137319f8074b259b37cab1823f30b02cb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
89f5dbe13232c3d53f845ad7836e9139

SHA1
0995b18007c284ed3261bcbbaf878c60f489e475

SHA256
551fde9b83c3885164339fe9268149def6a45d902fceba1489e3b2e8a8fe0143

SHA512
d669b813b63fa6b43fcc2a1a7eec75078981c940be666220884af506cea5825b43e14e68fc32b5a60ca046184bbd7e7e1adb19871a31c501b319eef085aca1cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
029cdf97cc11dfe2937a37e276b13e42

SHA1
482ab1ddf0637fc9c149d0d7a330afe597310ded

SHA256
eab9c219200b05e124b256e7d00e5d93ef0ad61cc60afd8b45184f872bad9a8b

SHA512
10e9834b1a8b762b5342a39dab1a0a30d88f36fb8092d43d19104fef26da9c99df1404caeae9ce0dee2c0f51ed24cad6deea2b0026c658fd9db2bee0d3769d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c94ecb39b92006b4b886a41b8f41506c

SHA1
e16252e308bacbb35c13b2d15d8f328a03e0fb27

SHA256
d89b21a30b4490b19217aa9fca17d739d317484eb295cedfcba9f7f5071a19d8

SHA512
8f5cb1361d07219170fa0f84cd824e084542d68a16f66d0fa42ad1ed2addc474026bb8e2f9930232035136d809d07bb611a77262834568b06758582cf8c1d91a

Download Submit
memory/1596-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1596-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2628-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download