5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9

Analysis

max time kernel
93s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 04:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
Size

1.1MB
MD5

8025a9f815a11dfc7b93a6d134c2acd3
SHA1

3c4fc7a1c0e5cf0ebd883646a3506dab0a9b7095
SHA256

5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9
SHA512

d314423b27d30072bb779c05b13e054ff1e1a4359f61a1863a844960644cba6071c6223b9adfee24ab5844d875509b365afa0f6b7dbac2c450f19fe0528f61b9
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q+:acallSllG4ZM7QzM1

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4952	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4952	svchcst.exe
4644	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe
4952	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
4952	svchcst.exe
4952	svchcst.exe
4644	svchcst.exe
4644	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 872	1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe	86
PID 1060 wrote to memory of 872	1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe	86
PID 1060 wrote to memory of 872	1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe	86
PID 1060 wrote to memory of 3552	1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe	87
PID 1060 wrote to memory of 3552	1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe	87
PID 1060 wrote to memory of 3552	1060	5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe	87
PID 872 wrote to memory of 4952	872	WScript.exe	90
PID 872 wrote to memory of 4952	872	WScript.exe	90
PID 872 wrote to memory of 4952	872	WScript.exe	90
PID 3552 wrote to memory of 4644	3552	WScript.exe	89
PID 3552 wrote to memory of 4644	3552	WScript.exe	89
PID 3552 wrote to memory of 4644	3552	WScript.exe	89

C:\Users\Admin\AppData\Local\Temp\5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe
"C:\Users\Admin\AppData\Local\Temp\5eed1a056cc4391ec5cd4eb962348d5f7eba466bd332aea4bd5eaaaf86f536c9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
353df59a74de73516c6ac01dd1e2f158

SHA1
d31b6ccaaf989dec0fef30b413fcff9f0bf484d0

SHA256
a6f1fd459ae03edfaa837a81a2c0909d2eff962e99595b4954c591a9a3fd689b

SHA512
91cf0e83de04a6c483c37b7a5490ea248771c48d82090d6d03e53f364ef82f4b06c2f19a3545d56089767b02d04259d24342117a9dc5df0e9ec4d56fe695d6b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
191d592d38481857f97352b552bba7f9

SHA1
cef6701ea7cf66e65ea3363c8750082d400559b5

SHA256
95569bfb40dec8a86b2019408a975bd9953669e553e1fcbf5754a7bfa94a2a32

SHA512
22c684317a0f1113cb7eed682cdc46e247e531c6e501f0b65977cd6265a2b195d25a0b670e8edd9aab374b6d39339fd20499d353845ffac5d9c5de54544ee964

Download Submit
memory/1060-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4644-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4644-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4952-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download