Analysis
-
max time kernel
104s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08-09-2024 19:36
General
-
Target
0c4381b016520307be0b41fb9f66baf3187966794a15842838dae0d11a876122.exe
-
Size
1.1MB
-
MD5
4727ee52f847cfcb427ec5ae35a07dc6
-
SHA1
494200d563d1f477f9da7884c368f64ee7b05ea5
-
SHA256
0c4381b016520307be0b41fb9f66baf3187966794a15842838dae0d11a876122
-
SHA512
50bacff8fc89b469843d299adb59f016a21e9a23f090eafb8fa08be250c48ffe4f38bd6391bfeede1ac9195e26e56279ce4d3020ab3713fa2e9fce6f51bdbc15
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QE:CcaClSFlG4ZM7QzMj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c4381b016520307be0b41fb9f66baf3187966794a15842838dae0d11a876122.exe"C:\Users\Admin\AppData\Local\Temp\0c4381b016520307be0b41fb9f66baf3187966794a15842838dae0d11a876122.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD53ee4a2b7949a82f4559296e5d5f14402
SHA1c4f7e4166d36c9075aac9528df506d319efff5b7
SHA2560de891696b69aff9d6d9b8eb6cb62651c74ae7f3a3f8c09119844033d61b7c23
SHA51261a046f3e9d0e03aff10f41ec0db3325013f54b4c7e7d528ca3619d010e131c2dcd7831412d34208fe90b10e2a42b6f1afe856550099b4a63d6930460a1d0b3b
-
Filesize
1.1MB
MD539347bdfb006bd10f6fb8e79ff4e5c6a
SHA1436d0e6e8a7858a8fbbf196ac71a632b1cef9e8c
SHA256f3d809f708486bff18ef552633ff91d102cf63724f9bec97e8e3dc848623cabe
SHA5129fb7b00b559512e7119267f7ff459b621ca303faaafe9ac72e0bbf709367cd0adcdeb883686ee3667fdb13be5e97c7572b1db1cc8bd83d44c8bd8c4c9e38e238
-
Filesize
1.3MB