8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e

Analysis

max time kernel
118s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
Size

1.1MB
MD5

ae8bebb5a563463f7b73fffd789acd46
SHA1

fe25d01723f1223eadfe4939901c726ff180ddc8
SHA256

8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e
SHA512

714df6d7efacdbf3514c13e34fe69ab4da8339548b5b05bf63d8cfe421dba4c1803cc17b26d615802dda7c3a42a4fed229c74e21a0da0b715c1d3e19a38b749b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QY:CcaClSFlG4ZM7QzMP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4128	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
5012	svchcst.exe
4128	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe
4128	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
4128	svchcst.exe
4128	svchcst.exe
5012	svchcst.exe
5012	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2768	2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe	88
PID 2208 wrote to memory of 2768	2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe	88
PID 2208 wrote to memory of 2768	2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe	88
PID 2208 wrote to memory of 3604	2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe	89
PID 2208 wrote to memory of 3604	2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe	89
PID 2208 wrote to memory of 3604	2208	8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe	89
PID 3604 wrote to memory of 5012	3604	WScript.exe	91
PID 3604 wrote to memory of 5012	3604	WScript.exe	91
PID 3604 wrote to memory of 5012	3604	WScript.exe	91
PID 2768 wrote to memory of 4128	2768	WScript.exe	92
PID 2768 wrote to memory of 4128	2768	WScript.exe	92
PID 2768 wrote to memory of 4128	2768	WScript.exe	92

C:\Users\Admin\AppData\Local\Temp\8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe
"C:\Users\Admin\AppData\Local\Temp\8285f097e1884dc7f705cbd9cbb94bac209914e9e98fa46f8685c30feb7b204e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4128
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
691460073298e338ad2070d972e2654c

SHA1
892432ff7fbe474a9988a21abdd317bc51c55bfd

SHA256
f05baf7922ae7e4709028a133fd7155b8cd05beff22e501e9dcfd18d92ee9817

SHA512
08d52a3b188024e04c39a4766f50c50f1f67c4f4c2f981041b8ff8bfee87164c3b96c73594a84b9afe4f7fd9587f798a287ef3158e9b323e3e515a82f8b84083

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9db9f006eac8d0f30d7bbbc3c1db587b

SHA1
bea13ee18edc3c2ee1825c30613600b4fb3fc304

SHA256
f4636e7080238cf89dce86ea908b669f014d371211e61c260ac27b7058a03de4

SHA512
40796c9e5fc07f215bbf316836cf65d48cfa34918fedc0fae9580731faee4a70ddb26b854b4335216acb37bd083fb3954a02e1cd34a8f24cf4a0e2c31521e97a

Download Submit
memory/2208-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download