a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
Size

1.1MB
MD5

8d87d05ca04413c9cfc7e5d56692fc6d
SHA1

1ee85396d84d27830c145eec3f7a00a6ea50d097
SHA256

a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0
SHA512

6d1ce16db3324c5529733787c10f7c9a50250a83008061129672bbcf5e4ba5e4b2aa9a330fcc29751c6f24dc7d885f7ec95932137f30b66d6f682bf1df4411a2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2252	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1092	svchcst.exe
2252	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
2252	svchcst.exe
2252	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2504	3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	85
PID 3908 wrote to memory of 2504	3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	85
PID 3908 wrote to memory of 2504	3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	85
PID 3908 wrote to memory of 2808	3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	86
PID 3908 wrote to memory of 2808	3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	86
PID 3908 wrote to memory of 2808	3908	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	86
PID 2504 wrote to memory of 1092	2504	WScript.exe	93
PID 2504 wrote to memory of 1092	2504	WScript.exe	93
PID 2504 wrote to memory of 1092	2504	WScript.exe	93
PID 2808 wrote to memory of 2252	2808	WScript.exe	94
PID 2808 wrote to memory of 2252	2808	WScript.exe	94
PID 2808 wrote to memory of 2252	2808	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
"C:\Users\Admin\AppData\Local\Temp\a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cc4faa476fd15bc116d5e3bfe4cb4911

SHA1
a76dc32d89c869ccfc5caff583a2b4cc8b2f50b8

SHA256
bf484806673a3c91e7b02a699fb13e376b0c8698a95994d9cfbad82a473eba6a

SHA512
d2abb85f6177bf8675112dff5ce8ca973c8e907d52b4ffba83b58b5a4833b6054b31ec2ad36d8c27b633d5ae3c285528b65e2fe1f60e3c602b5d20ccc04c2d8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
44744df81eaa3b80a1dfba7b89cf0e3e

SHA1
991e5e28cb17edfb33a2d13fffbe973649bea30b

SHA256
1b03409c6ae5373836ccf29617df46cd9cbb312cd0c517809736a5bfa14e195a

SHA512
4c24ff0d00c030d18eb57963a1b4af2603e6a9869458b0dc7d9827a85c52a7c8ef6941bd262d3db070435f547b8ce9ea8165ac47994c028150f47d592d8c235f

Download Submit
memory/3908-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download