a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
Size

1.1MB
MD5

87b6af31283308e9435d8de4020f735a
SHA1

d95e4c0a3e9d9c72eee68fa7dfd2b475ad8aa988
SHA256

a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81
SHA512

b2de0ae35370d6e4fb3a84a52e16aaf2536d82664b2cd1474ee5ce5f1a8281ec23f45a64163ce601abb199e30a29037dd26943305704dbcfddfbd771c0763986
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzMr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4688	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3240	svchcst.exe
4688	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
3240	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
3240	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3012	1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe	86
PID 1344 wrote to memory of 3012	1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe	86
PID 1344 wrote to memory of 3012	1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe	86
PID 1344 wrote to memory of 2056	1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe	85
PID 1344 wrote to memory of 2056	1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe	85
PID 1344 wrote to memory of 2056	1344	a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe	85
PID 2056 wrote to memory of 3240	2056	WScript.exe	93
PID 2056 wrote to memory of 3240	2056	WScript.exe	93
PID 2056 wrote to memory of 3240	2056	WScript.exe	93
PID 3012 wrote to memory of 4688	3012	WScript.exe	94
PID 3012 wrote to memory of 4688	3012	WScript.exe	94
PID 3012 wrote to memory of 4688	3012	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe
"C:\Users\Admin\AppData\Local\Temp\a7e3093229b3f23643d5a089f26130bd73ae2a0fed9b770870a9930b2dc43e81.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5673acf1df64658fc3b5138b2a2994f7

SHA1
0e00786bacee37fdcbefafdd3e1e01786725debc

SHA256
3d5843c1e26007db935b141bd35214cc5c31190ca58bfff8e19e4078027d0bf6

SHA512
b4bbdb2ea8764e57a100975e742fe79286a941d70edde08e3cdc865bcf371050fffe77723d36b46fdf818acdb8c14790284f006215e6330c463776ab31b36021

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9bf8ae9f7ce21aa18d67ef2bca06201a

SHA1
52e0b01d1aae6e879b2bd57dd26797927e8eb78f

SHA256
5b7c9baf282280e5e7c393413801942ec381fcc4d30fc2f58166d158c2aa0565

SHA512
7ac5027c85ae7e5fbb3f5369cba78ac5cae342c069566c8011b510eba2c3c8c02c7d8b1f90064b015e1a01f8ab953506cf1eab448e251493b42318f0071a40e9

Download Submit
memory/1344-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1344-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3240-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4688-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4688-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download