e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206

Analysis

max time kernel
133s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
Size

1.1MB
MD5

fd353a0247692094650e20a9cbc82821
SHA1

f526d75f147d0979c75ac914774f6f3ca15acfc4
SHA256

e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206
SHA512

28257543b92924ff180ee367bbe27c263c41314cee5946d96a8007d51cca214815112341af84f354ee756c8800aa668179b4cb0075c54bad3b811f27f64e70c1
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3816	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3816	svchcst.exe
8	svchcst.exe
2728	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe
3816	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
3816	svchcst.exe
3816	svchcst.exe
8	svchcst.exe
8	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2672	968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe	86
PID 968 wrote to memory of 2672	968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe	86
PID 968 wrote to memory of 2672	968	e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe	86
PID 2672 wrote to memory of 3816	2672	WScript.exe	94
PID 2672 wrote to memory of 3816	2672	WScript.exe	94
PID 2672 wrote to memory of 3816	2672	WScript.exe	94
PID 3816 wrote to memory of 3304	3816	svchcst.exe	95
PID 3816 wrote to memory of 3304	3816	svchcst.exe	95
PID 3816 wrote to memory of 3304	3816	svchcst.exe	95
PID 3816 wrote to memory of 1960	3816	svchcst.exe	96
PID 3816 wrote to memory of 1960	3816	svchcst.exe	96
PID 3816 wrote to memory of 1960	3816	svchcst.exe	96
PID 3304 wrote to memory of 8	3304	WScript.exe	99
PID 3304 wrote to memory of 8	3304	WScript.exe	99
PID 3304 wrote to memory of 8	3304	WScript.exe	99
PID 1960 wrote to memory of 2728	1960	WScript.exe	100
PID 1960 wrote to memory of 2728	1960	WScript.exe	100
PID 1960 wrote to memory of 2728	1960	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe
"C:\Users\Admin\AppData\Local\Temp\e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:8
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0e23894653478d15ef7408bde60850ad

SHA1
f9331bbc0fb7069350cbf6e165632500f8a4c441

SHA256
ea0bc17a6e5bb3c5ecd9e799c9dbb10b591fbda59f3e36cae84df6103b95050e

SHA512
ad373bb322f708e7017522a4554000b145564b082aa042a8d0c02b7cba6d2bfe20e2a392cdca236131ebede4e093d1f94457d97ef8427db8586c5691d93d0a00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
07fdb3c99cebd73ff8f34ec601facb45

SHA1
2ddbabb9aae17b30895b60342decb3528120e27f

SHA256
ead0ce824cc8433a5aef025c22c419bb8363767096c5dc616f05170d89815b32

SHA512
b93d3c2974c0c7ec1ae4e94d7a8cfff6c83ee3c63322c311305b4d2127732b4acff6f8c0f887f5b675bcffec446572de0a41c4a7b323cd3f834305df1c8f2bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8ca7baa372b0bd38c209e8298d1915d

SHA1
5c682a06eb178deddad420268204e1324aaa1e9b

SHA256
e88d35a55939d9118982a7f621cd5edf8b7d563aa9a5237e3364ac25212ee51b

SHA512
c4ab5baab9b29a358b29442f730299ebf54414fe0b237e8ceb3177d1367cf296b3f810a55645b932d40cdcab38b43cec1c37b531875923c2d8d08227ac48045d

Download Submit
memory/8-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/8-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3816-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download