1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
Size

1.1MB
MD5

dc5d1e9cb9933554ab659e0a98eb5ec5
SHA1

7b433a9b972d2121bc39b476cb0be1306e6131b8
SHA256

1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266
SHA512

6a72b307ea77df10de1159ca4ef0e32ffbff1ebd1985fe46585df323e7ab00283198b7211a6799a5d00a3b9c357e74012d3da691d0e030d9103c21326c585a54
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzMK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2132	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2132	svchcst.exe
816	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
2132	svchcst.exe
2132	svchcst.exe
816	svchcst.exe
816	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3836	3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	85
PID 3600 wrote to memory of 3836	3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	85
PID 3600 wrote to memory of 3836	3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	85
PID 3600 wrote to memory of 4052	3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	86
PID 3600 wrote to memory of 4052	3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	86
PID 3600 wrote to memory of 4052	3600	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	86
PID 3836 wrote to memory of 2132	3836	WScript.exe	94
PID 3836 wrote to memory of 2132	3836	WScript.exe	94
PID 3836 wrote to memory of 2132	3836	WScript.exe	94
PID 4052 wrote to memory of 816	4052	WScript.exe	95
PID 4052 wrote to memory of 816	4052	WScript.exe	95
PID 4052 wrote to memory of 816	4052	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
"C:\Users\Admin\AppData\Local\Temp\1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
dc33597abd08587ab97a10daf2410a7a

SHA1
b88c29c4ec324179b2d302e0a3da8f98ba699700

SHA256
93cf2f25a744403e8e19c57987e45f962ade441b644f0cd4c31c9ff54ecdc5df

SHA512
1784aba45a2c54f66cf14eb752a9e4889ea04706c71daa09362bcfa97654a2987d4be503af4c2e8092ddc0f4c844447c8e46f6f902c3e8993f8185269078e2cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dfa76060611c7a89da0c8e8343f52ff4

SHA1
5dc65058bc54157a8868d60b9635e8900811784e

SHA256
8dd47e43bfb041ebb3b90907d56b07a64f7ffc949fd838a683b28f622c5606d5

SHA512
bd2c0dbe7e6e34c1d68b4356f925a7ce0da3c2b8be9dca9f425fb797fa7bc7e97b9410c22ae9176e69d966c911d740e34cae74561e0728cfc4f518f823eaa20a

Download Submit
memory/3600-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download