aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
Size

1.1MB
MD5

1d2a545e972c516a1f48e043bd8ffdbb
SHA1

6556eb22bdced033804f041756898c46504241b7
SHA256

aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3
SHA512

0580eae6f968551d2becf342dc5f8bef864cfcf1c820c25c091023b9fd7d8c5ce895ef341e374e5dc10b1ebf8b61d157c0b60ad962a1812670a68247d81b557c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qx:acallSllG4ZM7QzMy

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3848	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3848	svchcst.exe
4600	svchcst.exe
456	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe
3848	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
3848	svchcst.exe
3848	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
456	svchcst.exe
456	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 2336	3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe	94
PID 3344 wrote to memory of 2336	3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe	94
PID 3344 wrote to memory of 2336	3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe	94
PID 3344 wrote to memory of 5016	3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe	93
PID 3344 wrote to memory of 5016	3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe	93
PID 3344 wrote to memory of 5016	3344	aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe	93
PID 2336 wrote to memory of 3848	2336	WScript.exe	100
PID 2336 wrote to memory of 3848	2336	WScript.exe	100
PID 2336 wrote to memory of 3848	2336	WScript.exe	100
PID 3848 wrote to memory of 3232	3848	svchcst.exe	102
PID 3848 wrote to memory of 3232	3848	svchcst.exe	102
PID 3848 wrote to memory of 3232	3848	svchcst.exe	102
PID 3848 wrote to memory of 5072	3848	svchcst.exe	103
PID 3848 wrote to memory of 5072	3848	svchcst.exe	103
PID 3848 wrote to memory of 5072	3848	svchcst.exe	103
PID 3232 wrote to memory of 4600	3232	WScript.exe	106
PID 3232 wrote to memory of 4600	3232	WScript.exe	106
PID 3232 wrote to memory of 4600	3232	WScript.exe	106
PID 5072 wrote to memory of 456	5072	WScript.exe	107
PID 5072 wrote to memory of 456	5072	WScript.exe	107
PID 5072 wrote to memory of 456	5072	WScript.exe	107

C:\Users\Admin\AppData\Local\Temp\aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe
"C:\Users\Admin\AppData\Local\Temp\aea10f4af3101039360472a94e3ca99c153c48b6f11ada93f7c01cdbef0418f3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4600
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4452,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1138361b53cd9382bb409747c9863e98

SHA1
76b5f6c63f9d5f10a2e2c4f329f46352b4801c8d

SHA256
ec8fc966d58a30385cd44d58be5f53e47dc1ac975eded24b9323ce1fbcdb9517

SHA512
9f260348db0b866d54851aba6b5380779201e9bca03ed1ffef8c771531cf96abf5893aa492876ae6c3789eda601db45ac7b0a05f3e1b120a9b333fa15d30b177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fede204f49e9e4e59d02c0b52ae7bec5

SHA1
8d4185f39ad6472bd62de9d4e65faed0e4d8c19f

SHA256
cdd8475ab404ee517e6a3b94f7bc5fa5f2ec8c5455140cbd109bfe66117090a8

SHA512
7272ef7ce211963945573c692503bc30779af4dfedbc36d7d2ec14b3468942ca65824a2236f31fc14a1d21c70ba2c3e20c1553c1bb02c3a3e7ab6cbb2dac0fce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a9c72b2584bf8d17438900d8b8b832ab

SHA1
29a0bd136f8622d67db1204a04277922b11806b6

SHA256
d434f43ceea70aac445c8e9905ef7b2225e42010c7fa1cf1d2c5f38252685434

SHA512
46e2f3aaba15ceaad4681d21ae295cd00828b7207bbe8919914c22418eaddcb6e770b9a87cb715c6923a40668922aeb7d60bce44e9782f1236d1611a6fecd46b

Download Submit
memory/456-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/456-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3344-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3344-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3848-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4600-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download