2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
Size

1.1MB
MD5

b3dca870968402fb71da9d5c1fda083b
SHA1

1dcdf13661bdaf763e9675641a009747a1fa3b69
SHA256

2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32
SHA512

59ad0da720109d54fbfcf9bba85b3e95342664095fb15192430e644ad29d6990679b1902c28b2d29a1630001daedc207becf0157390f54fcf0c02b8cf3f4c264
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qs:CcaClSFlG4ZM7QzML

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1036	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1036	svchcst.exe
4540	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
1036	svchcst.exe
1036	svchcst.exe
4540	svchcst.exe
4540	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2788	4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe	93
PID 4480 wrote to memory of 2788	4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe	93
PID 4480 wrote to memory of 2788	4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe	93
PID 4480 wrote to memory of 2748	4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe	94
PID 4480 wrote to memory of 2748	4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe	94
PID 4480 wrote to memory of 2748	4480	2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe	94
PID 2788 wrote to memory of 1036	2788	WScript.exe	101
PID 2788 wrote to memory of 1036	2788	WScript.exe	101
PID 2788 wrote to memory of 1036	2788	WScript.exe	101
PID 2748 wrote to memory of 4540	2748	WScript.exe	102
PID 2748 wrote to memory of 4540	2748	WScript.exe	102
PID 2748 wrote to memory of 4540	2748	WScript.exe	102

C:\Users\Admin\AppData\Local\Temp\2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe
"C:\Users\Admin\AppData\Local\Temp\2814625b58926e684263331866fc246b0c4183cb96641fdfdecd4bff36a53d32.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6da66d925903fa47a8f2cf8e1d8ae15d

SHA1
f9d177c401df4ac825279c38f40f313f63e0dbe2

SHA256
8cfc4a1f0f3a3c633c556dc7eac80c631496a5d8737252f65b809f3e5e006eef

SHA512
6b295cf06a8d4ec0d72bdb644dcbc059b7d7db30b25b105eb39bda99a08fbd0b426b7a5d3d18b35a2fd3c16e8763866b1debf206494df8e0ed10bdfc90e431eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
656aad12710692771f99b79598e70dc6

SHA1
45a165cc288994fb91d57b6e87d42f89419dbdc8

SHA256
32487c8a0436acdaffcdc994dda29b258a2441d2e8b738d793c96dabfd3f6fbb

SHA512
b5d2c029a4eaf3cfdaf0019f7c34959d0e7bdd8f40be91419aae335328c8b874a9669a05e3b127a7b1992a4fa482fd46aaf687c881a3f73743eaaca741078a71

Download Submit
memory/4480-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download