72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f

Analysis

max time kernel
91s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
Size

1.1MB
MD5

a43f2960545f3ef4e68845c54156e45d
SHA1

c46efddec1e9489fb23cd72df8aa6fae3a7b8927
SHA256

72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f
SHA512

47cb712f7f23947867403bf4bc55ac2a63d40829c4db825c8773ba0769881fd13f72b305d6383337165d647193ca97caefbe806b4c9dce8be458f792ca363b44
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QU:acallSllG4ZM7QzMz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4284	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4284	svchcst.exe
4328	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe
4284	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
4284	svchcst.exe
4284	svchcst.exe
4328	svchcst.exe
4328	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1032	2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe	88
PID 2844 wrote to memory of 1032	2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe	88
PID 2844 wrote to memory of 1032	2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe	88
PID 2844 wrote to memory of 1672	2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe	89
PID 2844 wrote to memory of 1672	2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe	89
PID 2844 wrote to memory of 1672	2844	72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe	89
PID 1032 wrote to memory of 4284	1032	WScript.exe	91
PID 1032 wrote to memory of 4284	1032	WScript.exe	91
PID 1032 wrote to memory of 4284	1032	WScript.exe	91
PID 1672 wrote to memory of 4328	1672	WScript.exe	92
PID 1672 wrote to memory of 4328	1672	WScript.exe	92
PID 1672 wrote to memory of 4328	1672	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe
"C:\Users\Admin\AppData\Local\Temp\72080a5e554d949258ea9ddc114659a307b4928cec6541991530cc62c88f1e2f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5fdc74540d02d6331b30bb965a8794ef

SHA1
dc4b514e07fdfc5199759bfe22f04293c2c6f298

SHA256
ea8196850d39e878643aacc11ae8262bf94ea37e9a48f8732b3fac663f77d826

SHA512
7f68ea89f0b8ca857e19de9cccdfb4b448b27c66929ac17165a1e2e579d39935a0ed9f71e61623f93fe98fe11d918336b6294498de67bf7a1638a4ae861c0b9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0c5c958e4384431332d7868da48c89d6

SHA1
58f9500077b2023bfeb352c805a88b95ec2b0a95

SHA256
94ef5da6cdffce6572be0666df6ae363e7e97e8546210a7cdabb59a9427aa101

SHA512
f85e47c25088885b30bd82e2619fb3305022893201e4f845c51dc8796365eb4b8e576a2a0851b0524d1338c132c8e03ce966bd329e311140d71eb8ec38d7bc07

Download Submit
memory/2844-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4284-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4328-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4328-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download