8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
Size

1.1MB
MD5

e710470a86d201257e0c4f31bde5b68e
SHA1

75a6d513a86045f934b6a3cc036eaaffab5aed7b
SHA256

8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565
SHA512

393bc12e2d0eb9241ce9af1c39a79bc5e4f64b152e22153f2c02e1db4078174e2aecbe7e72e8b6599153e25e3a00eb9e47318d6d24458f52bb6470e85ef07ca4
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QJ:acallSllG4ZM7QzMK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3796	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3796	svchcst.exe
3792	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe
3796	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
3796	svchcst.exe
3796	svchcst.exe
3792	svchcst.exe
3792	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 1856	4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	84
PID 4820 wrote to memory of 1856	4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	84
PID 4820 wrote to memory of 1856	4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	84
PID 4820 wrote to memory of 1868	4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	85
PID 4820 wrote to memory of 1868	4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	85
PID 4820 wrote to memory of 1868	4820	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	85
PID 1868 wrote to memory of 3796	1868	WScript.exe	94
PID 1868 wrote to memory of 3796	1868	WScript.exe	94
PID 1868 wrote to memory of 3796	1868	WScript.exe	94
PID 1856 wrote to memory of 3792	1856	WScript.exe	95
PID 1856 wrote to memory of 3792	1856	WScript.exe	95
PID 1856 wrote to memory of 3792	1856	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
"C:\Users\Admin\AppData\Local\Temp\8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5522602f8bd08617cd323b7699052410

SHA1
9f55f1a6b2fe65b2a9395fae94238f7b9bea47c8

SHA256
40ea3ba5078625bfff58ea8997cef5ce02fc7bb5b544ed731cfeba12aaa8cfe1

SHA512
84f6e63693f627b5ff72d53b63b251bb747dce30f61f501d66f05b7a900400ee5027f7d057650fc793c103c252934d6f4a3072a42b43eaa7ce3860c6b05885eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ff157b91382b60177b30983c58701ef9

SHA1
bb9ee860e0373d675db9f88dc93e968feabe547d

SHA256
76bb15abd8f5735dc9dd8e9f414d4da16eaa04a3101feaa064cc6368414b7821

SHA512
8d703b4b2966fe8cc64859ded1089896aedd97472ab8252b8b599b6135cbb79b99a05665497b31e2a82bdc379caaefa6b5792197882622fadea8a38e0c64a99c

Download Submit
memory/3792-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3796-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3796-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4820-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4820-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download