Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
Resource
win10v2004-20240802-en
General
-
Target
94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
-
Size
1.1MB
-
MD5
9cb2e24f881a465caa69b86f8e0c77b1
-
SHA1
afe16b2327a4cd552d5969da5758193c377c5a16
-
SHA256
94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86
-
SHA512
f4fd3263b48f7447f9026e1cb22b6d4f836741405dd5e3be1c5ddcaa9c6733ef2433595617038e8a47db50b9b7a57be50ced41f6fe8badb45217a5c6fd8c44c2
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q6:acallSllG4ZM7QzM5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 2596 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 2596 svchcst.exe 3012 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 2596 svchcst.exe 2596 svchcst.exe 3012 svchcst.exe 3012 svchcst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3360 wrote to memory of 2884 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 95 PID 3360 wrote to memory of 2884 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 95 PID 3360 wrote to memory of 2884 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 95 PID 3360 wrote to memory of 3544 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 96 PID 3360 wrote to memory of 3544 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 96 PID 3360 wrote to memory of 3544 3360 94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe 96 PID 2884 wrote to memory of 2596 2884 WScript.exe 103 PID 2884 wrote to memory of 2596 2884 WScript.exe 103 PID 2884 wrote to memory of 2596 2884 WScript.exe 103 PID 3544 wrote to memory of 3012 3544 WScript.exe 104 PID 3544 wrote to memory of 3012 3544 WScript.exe 104 PID 3544 wrote to memory of 3012 3544 WScript.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe"C:\Users\Admin\AppData\Local\Temp\94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:81⤵PID:4080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD52db248f04fbbbbb2b2f4832fde2d38b4
SHA11ca15ce47b395627bba5189f9249193c6802cfef
SHA25673648b1363f07d09ea723f40ed4c5a5e8c52ccafddbc27a631f6707e16bf32db
SHA512aae35b13f9c3e67f9c0da2ffa0a7ab0cfd94085e6181192a8fe56a3f35845e76ef287ad8dd1658266d9a79621e66295d5b75bda57a0a5fc306585f1b95b9d50d
-
Filesize
1.1MB
MD5ec8158a0b538aff34a4ff4da880d8a7a
SHA14a5f51cbb5cf0849e53456aa0af3983eda286b3d
SHA25632373ba804da6e88b438683d4242f68d1f79dad06624ee09e77c03c3b7bf5604
SHA512c9a870966c0f9b7d1884d584ed7a7d1e32bdb267496d53a073715e69446973d137e20edcf8d4aefa58aa741bf4e70ea4b13543098d6e194be90cddb4ee373405