ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
Size

1.1MB
MD5

8b7749318d787392fa03aef03729187c
SHA1

1d92d7d5df694e1a9c1cdeb014d409d71cd2adf2
SHA256

ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8
SHA512

dccdf4f52be724590b62cc0e28569c4b1f40cea76930da62c3d103a2d5036807984e7ac8010461bf5aed4b7f1876d07e3b835e43f15e7fa69184de57b5bb8c55
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qf:acallSllG4ZM7QzMo

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3004	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1476	svchcst.exe
3004	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
1476	svchcst.exe
1476	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 704	2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe	86
PID 2824 wrote to memory of 704	2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe	86
PID 2824 wrote to memory of 704	2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe	86
PID 2824 wrote to memory of 880	2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe	87
PID 2824 wrote to memory of 880	2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe	87
PID 2824 wrote to memory of 880	2824	ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe	87
PID 704 wrote to memory of 3004	704	WScript.exe	95
PID 704 wrote to memory of 3004	704	WScript.exe	95
PID 704 wrote to memory of 3004	704	WScript.exe	95
PID 880 wrote to memory of 1476	880	WScript.exe	94
PID 880 wrote to memory of 1476	880	WScript.exe	94
PID 880 wrote to memory of 1476	880	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
"C:\Users\Admin\AppData\Local\Temp\ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c164161b5a2646282093528d7c8d1b98

SHA1
fe659db4388c556dd9a193fdfe7e4388f79f30a7

SHA256
bd5db84fdcc2a9cf9ba03048c8268be7756a8cd6d82d07150f465d7afcd72a16

SHA512
f21330c51ee75f306668d8cbd214493392ed2d9f10e83344dfcb7514417982166fdd6f726ca615da174493a5573722a781097225b6b089d199e7cfa976843d57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
632f3533b483a419318d7ef1f9372faa

SHA1
a77907f91504d110e92115da4876fc39e40bca90

SHA256
f591a728c0c813964d9b011aa43ebd941b4904e283086cea646b48e94e95289d

SHA512
182a329c1ae8fbe88ace37a4a3631ecfc29471664074adcd6987d4544681d6da37fbdc676950bb0dd6f8aed3bf697eaf7a2cabd90441efafff8a24fb8c7030f5

Download Submit
memory/1476-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download