1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
Size

1.1MB
MD5

24a3e222f50c9876a0afdf7c1ea1750a
SHA1

7b9da1981ed4a45f3cb0f6a05b11443330e6513f
SHA256

1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d
SHA512

6d8900df30e57c368e638158ab423ed0d9c6e19a38684a06fafc3876bee0ea591a9334d724c215b714b29135f494d0cf3645ee2147062e2197a8fb71118192bc
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qo:acallSllG4ZM7QzMv

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe

Deletes itself 1 IoCs

pid	Process
2416	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2416	svchcst.exe
4448	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
2416	svchcst.exe
2416	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 972	4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe	86
PID 4564 wrote to memory of 972	4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe	86
PID 4564 wrote to memory of 972	4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe	86
PID 4564 wrote to memory of 2080	4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe	87
PID 4564 wrote to memory of 2080	4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe	87
PID 4564 wrote to memory of 2080	4564	1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe	87
PID 2080 wrote to memory of 4448	2080	WScript.exe	89
PID 2080 wrote to memory of 4448	2080	WScript.exe	89
PID 2080 wrote to memory of 4448	2080	WScript.exe	89
PID 972 wrote to memory of 2416	972	WScript.exe	90
PID 972 wrote to memory of 2416	972	WScript.exe	90
PID 972 wrote to memory of 2416	972	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe
"C:\Users\Admin\AppData\Local\Temp\1a35799644c9c8581680fb7adc699d16ec86f9fb84f687b18184cbe8f32f6a1d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7dcb0240c4cc6db76b2cf5130420054a

SHA1
7d3873bd1a32479b0cdb1c1d948389feb700cab4

SHA256
4415145311280f9d1c737c99a3a3fc3ef405eee805c41ed5ef51dbaf28df88a1

SHA512
ed24fa2b217c6294097f819fa591317affff5460cc7d03116d7b805000b48826c6652132c08282e5782999f99fa3dc853a8a56260b3e0526631ad8b7e57090db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5d72c95c93573fdfee9d31a817cafef1

SHA1
168fc51e240be780cc134376132500dff7f3603c

SHA256
81d01fdaad80e9c17f041ce61caf574fd2b3889b54124964654649f9c8881782

SHA512
bfa32359f0c44280bf22ad01c01fa8fba05d9b554d916a1fe89196933e1746c32f28504d83635e5e9d7d19e7aefa0921c14312d4ed4f6e85dfd028f822288065

Download Submit
memory/2416-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4448-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4564-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4564-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download