887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
Size

1.1MB
MD5

66910d297bdc6ec56f57e37b0325d04d
SHA1

3e9285757083c12299c6a24cb625b0ec4f174466
SHA256

887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f
SHA512

59e1ae4d350f26cca8c1f5e215c317dc6a090914ea6aefc39e6d3009cad45e99c777d194cc047c50c4cdb43f698cdad6b38531e4e1c57a0b36198ed84f37c334
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qe:acallSllG4ZM7QzMF

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3212	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3212	svchcst.exe
1068	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe
3212	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
3212	svchcst.exe
3212	svchcst.exe
1068	svchcst.exe
1068	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 4816	560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	87
PID 560 wrote to memory of 4816	560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	87
PID 560 wrote to memory of 4816	560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	87
PID 560 wrote to memory of 1544	560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	88
PID 560 wrote to memory of 1544	560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	88
PID 560 wrote to memory of 1544	560	887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe	88
PID 1544 wrote to memory of 3212	1544	WScript.exe	95
PID 1544 wrote to memory of 3212	1544	WScript.exe	95
PID 1544 wrote to memory of 3212	1544	WScript.exe	95
PID 4816 wrote to memory of 1068	4816	WScript.exe	96
PID 4816 wrote to memory of 1068	4816	WScript.exe	96
PID 4816 wrote to memory of 1068	4816	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe
"C:\Users\Admin\AppData\Local\Temp\887f1fa587b3a5110d5bcc8ac1a96529f15c3ece03048ed9aab5669ee7a6db2f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6c878edd4a9e534faabc9a5cc38ad45a

SHA1
334af35be6450ce1c9a360341448770342611bb0

SHA256
f8a2c5688da91a8d7f415a2c17f0ca2460deb6cb737ff0ee7005b54c5ca5c377

SHA512
54a8511f7618f44caf6055e7329ad8f658108c6845886275536b9c0ba7a176bb00c3adf8bb62eb165f08c984504a7fbbee6911ac6a9fda98e828fb9ba1155f28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cacac41b82e3697ae980773246a83dae

SHA1
c06dc8f6a36c3a393e145c19102fbdbf920b0fda

SHA256
48cc336ecac69ac31fe65689b218a2c04db77d0111410e39d747831e6d539a25

SHA512
d978d6a937fe683b52547758e9f429c1dce50237791ec28daf910eceb20a5246a47c02f0b7c9f22f5445952e3b2c3239ff1f2511ba5d7e2c5a2981ca9ecbd5d0

Download Submit
memory/560-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/560-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1068-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1068-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3212-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3212-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download