90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0

Analysis

max time kernel
94s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
Size

1.1MB
MD5

4dc56dab9ca81f47180ba3a27b9b9ddb
SHA1

bb52e1e30eac480d40aace9ba3e46c0d194055c8
SHA256

90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0
SHA512

7acabbfd3ddf130858424faaf8e4088c4a0c790cec20ba1bce264d65e4e6e2ad90634b73b9e876dd0637815aa23dae9d3390dbe45209b502eb315770bc4054f5
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Ql:acallSllG4ZM7QzMu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
2976	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
2976	svchcst.exe
540	svchcst.exe
4200	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
2976	svchcst.exe
2976	svchcst.exe
540	svchcst.exe
540	svchcst.exe
4200	svchcst.exe
4200	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 412	452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe	85
PID 452 wrote to memory of 412	452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe	85
PID 452 wrote to memory of 412	452	90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe	85
PID 412 wrote to memory of 2976	412	WScript.exe	94
PID 412 wrote to memory of 2976	412	WScript.exe	94
PID 412 wrote to memory of 2976	412	WScript.exe	94
PID 2976 wrote to memory of 2952	2976	svchcst.exe	96
PID 2976 wrote to memory of 2952	2976	svchcst.exe	96
PID 2976 wrote to memory of 2952	2976	svchcst.exe	96
PID 2976 wrote to memory of 2560	2976	svchcst.exe	97
PID 2976 wrote to memory of 2560	2976	svchcst.exe	97
PID 2976 wrote to memory of 2560	2976	svchcst.exe	97
PID 2560 wrote to memory of 540	2560	WScript.exe	100
PID 2560 wrote to memory of 540	2560	WScript.exe	100
PID 2560 wrote to memory of 540	2560	WScript.exe	100
PID 2952 wrote to memory of 4200	2952	WScript.exe	101
PID 2952 wrote to memory of 4200	2952	WScript.exe	101
PID 2952 wrote to memory of 4200	2952	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe
"C:\Users\Admin\AppData\Local\Temp\90566207783062f98077a29ae7c5134e685afa0086d74748d9716a823e2897a0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4200
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
df30f9c69beb418a62d5131faf6d00aa

SHA1
10707856b938d783319deaf57b299b9991ad8657

SHA256
5004a83bd0a11ebf6a313ee0243f8aa0283682927a2335109f278d2756713b91

SHA512
dee4d44f2c8c5d0c2adf5d8e44676b43d020955301d85cbdd9cef12613540e73d60a31e2561d0669e074b6e82ac7f0742aaa0853429267ce4c308a4081c1db57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
60ddf9c1fc37c35c52726bc8c7b3e145

SHA1
77c94185020d90b548a9a97e4ffb0e84e1da55ea

SHA256
31c46fc56ddc4bf4eb03b36c13def4ba7383595c7c5da54fe5701095644911c5

SHA512
bfc2f34d5e5fd0b3ca16a7b8fff136b9f41799afd2a15299851685ecdf62071248fbdae3e52f18cf0517c33fc421cb9f7bf472164d1b622fb4699c0077acff27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
784419f3a755c3a3449af21169da57ea

SHA1
043e928dfd9f76b0502420d86ef670429bdca8d1

SHA256
2b220a6716f2ebc584dc9bd033dd3f56b917db1cb21c415077288b98a38fde60

SHA512
def731b3ce01d27d160339a6e1973806fbd2509a9f0693b9dfc9f3a7f1e99dbdc2511dd2744891d1590feaa5b257185c6871d4b82175dc4cfe85009faff3eca7

Download Submit
memory/452-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/452-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/540-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2976-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4200-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4200-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download