887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
Size

1.1MB
MD5

66910d297bdc6ec56f57e37b0325d04d
SHA1

3e9285757083c12299c6a24cb625b0ec4f174466
SHA256

887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f
SHA512

59e1ae4d350f26cca8c1f5e215c317dc6a090914ea6aefc39e6d3009cad45e99c777d194cc047c50c4cdb43f698cdad6b38531e4e1c57a0b36198ed84f37c334
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qe:acallSllG4ZM7QzMF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2956	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
2956	svchcst.exe
2740	svchcst.exe
308	svchcst.exe
2888	svchcst.exe
2900	svchcst.exe

Loads dropped DLL 7 IoCs

pid	Process
2200	WScript.exe
2200	WScript.exe
2152	WScript.exe
1296	WScript.exe
336	WScript.exe
336	WScript.exe
1296	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
2956	svchcst.exe
2956	svchcst.exe
2740	svchcst.exe
2740	svchcst.exe
308	svchcst.exe
308	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2200	2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	30
PID 2372 wrote to memory of 2200	2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	30
PID 2372 wrote to memory of 2200	2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	30
PID 2372 wrote to memory of 2200	2372	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	30
PID 2200 wrote to memory of 2956	2200	WScript.exe	33
PID 2200 wrote to memory of 2956	2200	WScript.exe	33
PID 2200 wrote to memory of 2956	2200	WScript.exe	33
PID 2200 wrote to memory of 2956	2200	WScript.exe	33
PID 2956 wrote to memory of 2152	2956	svchcst.exe	34
PID 2956 wrote to memory of 2152	2956	svchcst.exe	34
PID 2956 wrote to memory of 2152	2956	svchcst.exe	34
PID 2956 wrote to memory of 2152	2956	svchcst.exe	34
PID 2152 wrote to memory of 2740	2152	WScript.exe	35
PID 2152 wrote to memory of 2740	2152	WScript.exe	35
PID 2152 wrote to memory of 2740	2152	WScript.exe	35
PID 2152 wrote to memory of 2740	2152	WScript.exe	35
PID 2740 wrote to memory of 1296	2740	svchcst.exe	36
PID 2740 wrote to memory of 1296	2740	svchcst.exe	36
PID 2740 wrote to memory of 1296	2740	svchcst.exe	36
PID 2740 wrote to memory of 1296	2740	svchcst.exe	36
PID 1296 wrote to memory of 308	1296	WScript.exe	37
PID 1296 wrote to memory of 308	1296	WScript.exe	37
PID 1296 wrote to memory of 308	1296	WScript.exe	37
PID 1296 wrote to memory of 308	1296	WScript.exe	37
PID 308 wrote to memory of 336	308	svchcst.exe	38
PID 308 wrote to memory of 336	308	svchcst.exe	38
PID 308 wrote to memory of 336	308	svchcst.exe	38
PID 308 wrote to memory of 336	308	svchcst.exe	38
PID 336 wrote to memory of 2888	336	WScript.exe	39
PID 336 wrote to memory of 2888	336	WScript.exe	39
PID 336 wrote to memory of 2888	336	WScript.exe	39
PID 336 wrote to memory of 2888	336	WScript.exe	39
PID 1296 wrote to memory of 2900	1296	WScript.exe	40
PID 1296 wrote to memory of 2900	1296	WScript.exe	40
PID 1296 wrote to memory of 2900	1296	WScript.exe	40
PID 1296 wrote to memory of 2900	1296	WScript.exe	40

C:\Users\Admin\AppData\Local\Temp\887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
"C:\Users\Admin\AppData\Local\Temp\887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
95b3658910eff5639d682f0321c735b5

SHA1
0a04c1aa18f555f5732ec5f71bdb32636b95ee1e

SHA256
15cdf89c2050db8007060db52aa70044258e5b7b3f52eb3e13dbac87b497088a

SHA512
680bdadaedd2dc153d0b1acfd33d91e8e6fb4e802960977c05ba713f24ec67d5ceb2d3d94fad99279fbb5f9adae72cc45cfb4bff2616e595ef7d1ba7a213e518

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
042e318c9ded2b7ecc27f05b209cba98

SHA1
4d061a5ab25d88e453ecd4db7f90a3a5b1efb301

SHA256
e174b74362dae3520eca3f9dd668d19275940b4851774ac586a91b907dda67ce

SHA512
adcb4aeadb06b2a63bf5869265baf4545058f85e61701fac88b5b84d802786cc9896db3f6a6f9b1ec0f390384fb761fc6c78b41f68db18f185d1924e986f31c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4a0fca8fe5e1cde8fb0056d7cda869c8

SHA1
c92329b5d661b66130e5ab7a9e9d5e9721d3b4f9

SHA256
e58e208f107470377893d5a88c133fadd9f6439a6611976e2cffb86b2ef1e959

SHA512
53010b899c807c868e5c9fb5ef9fa2191f3c88b243f8fadee6fe5266d7618a347fa9cb2648208d5286fc3fd78ba8edec472cffbfb5ec169ecefb1c9124f37802

Download Submit
memory/308-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1296-51-0x0000000005CB0000-0x0000000005E0F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-26-0x0000000004590000-0x00000000046EF000-memory.dmp

Filesize
1.4MB

Download
memory/2200-14-0x0000000004630000-0x000000000478F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download