4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
Size

1.1MB
MD5

af79f57a7ba2da15c0501e3b3e4081ab
SHA1

b16a393c30f792c9d50e754907c6f4805dab7102
SHA256

4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192
SHA512

677a1b6fe577bdeb75140f1098a3600a52ae6631806b2e214d6ab9ba85c7d231c6fad02c589e6ddbd1266f60ec1ad43bbabe4a09f2f494ef080d97185c1b1eff
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzM6

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe

Deletes itself 1 IoCs

pid	Process
3472	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1912	svchcst.exe
3472	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe
3472	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
3472	svchcst.exe
3472	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3088	2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe	86
PID 2412 wrote to memory of 3088	2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe	86
PID 2412 wrote to memory of 3088	2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe	86
PID 2412 wrote to memory of 1360	2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe	87
PID 2412 wrote to memory of 1360	2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe	87
PID 2412 wrote to memory of 1360	2412	4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe	87
PID 3088 wrote to memory of 3472	3088	WScript.exe	94
PID 3088 wrote to memory of 3472	3088	WScript.exe	94
PID 3088 wrote to memory of 3472	3088	WScript.exe	94
PID 1360 wrote to memory of 1912	1360	WScript.exe	93
PID 1360 wrote to memory of 1912	1360	WScript.exe	93
PID 1360 wrote to memory of 1912	1360	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe
"C:\Users\Admin\AppData\Local\Temp\4c6e3040d0830419bbd71eab76dbfdfed3a7d7725767abecc925bc9386437192.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a4b37e10eca201c92055aeb496836b7b

SHA1
866aee95a89abd0df0dbb7984ef7ad0ffb554580

SHA256
8a9e43c5aa518b58693d15c90ce357bc31e49a5662fb4758a0dc759eeb464b88

SHA512
2838c45f9b3c869ae505aa8d3917f029a6a6beebcc4744f264ca09f8b186676ee32c23bfbd0e520c447c99f3bc82a37c73c6eb06b5fd78de1a11244e0d30ff00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c8477f09a31d1ba4e8571bc40f6c5b5b

SHA1
bc5b40a9070d418dafa70309a4b59af80d8fc6fd

SHA256
af7433c01bd43ba0cced0cdfeeae49a9d6737fbed0f42f82636eb598fdee64bc

SHA512
2a70da74a35b631b906728b848763c6111ab08d7eb7d03a9524632b5ff2141e152ba7322551fa0e7d4353740966e432595a7571fb1fcd564094868f80a157b10

Download Submit
memory/2412-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download