9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
Size

1.1MB
MD5

8faa5b16670373760161e9bee8db8183
SHA1

83866a5d1e7640497605d1482c3aa1e4906243a4
SHA256

9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3
SHA512

92be5a4f0c8832c2df07ed1490ae0c529769781de6d5df2519c1b1b74535a8cd77c5b5b3ab01b5305c50ecba0d1f15e01625c833c7dacd43fd4cd515c919a05b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzMJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1876	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1876	svchcst.exe
3124	svchcst.exe
1192	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
1876	svchcst.exe
1876	svchcst.exe
1192	svchcst.exe
3124	svchcst.exe
3124	svchcst.exe
1192	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3140	2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe	86
PID 2728 wrote to memory of 3140	2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe	86
PID 2728 wrote to memory of 3140	2728	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe	86
PID 3140 wrote to memory of 1876	3140	WScript.exe	94
PID 3140 wrote to memory of 1876	3140	WScript.exe	94
PID 3140 wrote to memory of 1876	3140	WScript.exe	94
PID 1876 wrote to memory of 2324	1876	svchcst.exe	97
PID 1876 wrote to memory of 2324	1876	svchcst.exe	97
PID 1876 wrote to memory of 2324	1876	svchcst.exe	97
PID 1876 wrote to memory of 1716	1876	svchcst.exe	96
PID 1876 wrote to memory of 1716	1876	svchcst.exe	96
PID 1876 wrote to memory of 1716	1876	svchcst.exe	96
PID 2324 wrote to memory of 1192	2324	WScript.exe	99
PID 2324 wrote to memory of 1192	2324	WScript.exe	99
PID 2324 wrote to memory of 1192	2324	WScript.exe	99
PID 1716 wrote to memory of 3124	1716	WScript.exe	98
PID 1716 wrote to memory of 3124	1716	WScript.exe	98
PID 1716 wrote to memory of 3124	1716	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
"C:\Users\Admin\AppData\Local\Temp\9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3124
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3b5623d85d329f0a61e4bc0472d7b010

SHA1
e6d801f14caef9c44daad2c7e93e5a3bc8dd4fad

SHA256
43eb0940cf215a2e8aa0ae630bfdf408e23089c07342b0a3ba9dafe2be2ef355

SHA512
1aa42f24487726ea6aaab23ca320dca2a0b134f3a515ee9ad6bd49800014806e95b7d6f631169f29335cf9eff03c88579ca1e6a03002f1cb61db0556706ceb02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c354203b4e707dda35a0ed19d06c6fb

SHA1
d3a0135abd2de1a9ca7a104a4c3f449d2f360650

SHA256
d6a2336d3ea5c2c7859ca78a3d6e39dc3b4ea151617c6d48bde9e8cfb709854e

SHA512
9fa9d7e3df72b2beaebe5f3f5e97c6ffbbb4d2f3e847ea044d8ede0d2683a180caffa566b7dbe0ce855fd253dfddd0d9889f5b6eeaa81e91177998555628233a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e528c3be686cd5c578ddcddf3e89489c

SHA1
a4ca56dce1f6dab8708b6762da7d3746918acc8c

SHA256
ca566fbe25f189dc1c589f1253628790d67f7f5a90916f7ce88f9dd5f664429f

SHA512
340727f32e4e85078e26612137cc3366712ada524cccfb2c58c8a7502e5c416bd93cdf9f45babddc25425a639dc0a8d102659ff4490c98f7caf9879d1b2356d4

Download Submit
memory/2728-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download