01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a

Analysis

max time kernel
95s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
Size

1.1MB
MD5

2e788badf8885c5f3a3644c05ca3a2b6
SHA1

f7b531e1ae2312ded4c85feef533042701932b94
SHA256

01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a
SHA512

7ae109c68ba8e385b7bb3b0106f6d211ffd709b837c8efedcb96dfe67a9392480b923f971f9880e5805cf3daf70ed3400867a2bd96b9b79b64e87f6b307e6414
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qy:acallSllG4ZM7QzMh

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4804	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4804	svchcst.exe
1512	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe
4804	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
4804	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
4804	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1008	2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	86
PID 2172 wrote to memory of 1008	2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	86
PID 2172 wrote to memory of 1008	2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	86
PID 2172 wrote to memory of 4396	2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	87
PID 2172 wrote to memory of 4396	2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	87
PID 2172 wrote to memory of 4396	2172	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	87
PID 1008 wrote to memory of 4804	1008	WScript.exe	89
PID 1008 wrote to memory of 4804	1008	WScript.exe	89
PID 1008 wrote to memory of 4804	1008	WScript.exe	89
PID 4396 wrote to memory of 1512	4396	WScript.exe	90
PID 4396 wrote to memory of 1512	4396	WScript.exe	90
PID 4396 wrote to memory of 1512	4396	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
"C:\Users\Admin\AppData\Local\Temp\01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1e3848bb87eec504312e80e2348882ec

SHA1
8eb26891e237d6e3c85fe20c3b14bf8c3dc323eb

SHA256
8bef5e5a55e9461b520bfe10989a64d370de449f2d726a9362d32b81d41142d3

SHA512
84307b0c86dd1e3f390220cf123870dcf5ab4565ef98c4bfa49444cffb17304bccad777c9f124031e9b4ac2cd135c4bb8dcd287a39e62b0e784885f620d1facc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9d1415fcb09189bdb7a9c7c3df8fa646

SHA1
5d34cef146994cefc073f04553e1e9b310b8a373

SHA256
79dcfef08c13384d1f7f5f1afc82725a78dba6f62f8b5dc1d3231a0cdbf90d80

SHA512
26dbee760bb98b85fa0dd9b74384a029f8e5699f8003acf0d0f3c958642c176046f04c916f8c2bb3a4616c321f85977105179b90b8ea66dd79cf569e866110cf

Download Submit
memory/1512-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2172-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2172-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4804-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download