3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe
Size

1.1MB
MD5

596101e66d930e018f63b440c56c1726
SHA1

0e3726435db251e7f74b89559afbfa2f060180f1
SHA256

3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492
SHA512

83e6f4fe57bd578226b848c8d187549b9f44ff0bc032a2cb366fee38a85c400f7116b8da4de1d78c10ef5c792af2d79ef1dcc1268a1a7958493e6146f0189e4c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QJ:acallSllG4ZM7QzMq

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
2252	svchcst.exe
1200	svchcst.exe
3060	svchcst.exe
2944	svchcst.exe

Loads dropped DLL 6 IoCs

pid	Process
3004	WScript.exe
3004	WScript.exe
2964	WScript.exe
2964	WScript.exe
3028	WScript.exe
2152	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe
2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe
2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe
2252	svchcst.exe
2252	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2964	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	30
PID 2268 wrote to memory of 2964	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	30
PID 2268 wrote to memory of 2964	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	30
PID 2268 wrote to memory of 2964	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	30
PID 2268 wrote to memory of 3004	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	31
PID 2268 wrote to memory of 3004	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	31
PID 2268 wrote to memory of 3004	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	31
PID 2268 wrote to memory of 3004	2268	3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe	31
PID 3004 wrote to memory of 2252	3004	WScript.exe	33
PID 3004 wrote to memory of 2252	3004	WScript.exe	33
PID 3004 wrote to memory of 2252	3004	WScript.exe	33
PID 3004 wrote to memory of 2252	3004	WScript.exe	33
PID 2964 wrote to memory of 1200	2964	WScript.exe	34
PID 2964 wrote to memory of 1200	2964	WScript.exe	34
PID 2964 wrote to memory of 1200	2964	WScript.exe	34
PID 2964 wrote to memory of 1200	2964	WScript.exe	34
PID 1200 wrote to memory of 2152	1200	svchcst.exe	35
PID 1200 wrote to memory of 2152	1200	svchcst.exe	35
PID 1200 wrote to memory of 2152	1200	svchcst.exe	35
PID 1200 wrote to memory of 2152	1200	svchcst.exe	35
PID 1200 wrote to memory of 3028	1200	svchcst.exe	36
PID 1200 wrote to memory of 3028	1200	svchcst.exe	36
PID 1200 wrote to memory of 3028	1200	svchcst.exe	36
PID 1200 wrote to memory of 3028	1200	svchcst.exe	36
PID 3028 wrote to memory of 3060	3028	WScript.exe	38
PID 3028 wrote to memory of 3060	3028	WScript.exe	38
PID 3028 wrote to memory of 3060	3028	WScript.exe	38
PID 3028 wrote to memory of 3060	3028	WScript.exe	38
PID 2152 wrote to memory of 2944	2152	WScript.exe	37
PID 2152 wrote to memory of 2944	2152	WScript.exe	37
PID 2152 wrote to memory of 2944	2152	WScript.exe	37
PID 2152 wrote to memory of 2944	2152	WScript.exe	37

C:\Users\Admin\AppData\Local\Temp\3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe
"C:\Users\Admin\AppData\Local\Temp\3da775350d0ae2e7e03c8844ee70fa5d4c689bc9188266b266e9eae17a91f492.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9d1957e0e6b2d5e5b508cf7a11a2f387

SHA1
0dc122e6ca7bfd4835d8cc79b785aa8e288bde9f

SHA256
8470d0f2325961e71e5dc66fc919dc0515f9f81b8f3dd9b3e300b3370e5e46c8

SHA512
ec20dd4a9f09febd8027c0c7cf4679217451b114a1a094d47bad17aaa8ab5d1b0a5444bac80dbb63a4519d8adb36cfb0e4afab91bd5140b38dfaa8f1907c0f86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dd6e8c0289a81c3bec87439c72e4d468

SHA1
0ea71faff8dde4abfb81c0d81bb0c544d2a3c413

SHA256
30baa565fb1297a4c032324ef1322bf67cdd641fca9e5f2b7f5580e3c1f32dac

SHA512
199433e319c08587fb55502dbfcd581644abbb97ea311f1e1097d354b27a529ccb2fbe4af422cf81d7a4abbb77d17f7e3ca5d5cb6f9ea84fcde7c0232e66c831

Download Submit
memory/1200-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-20-0x0000000003B40000-0x0000000003C9F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-19-0x0000000003B40000-0x0000000003C9F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download