dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 12:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
Size

1.1MB
MD5

ac05352ff87c1d53a40e0447399e54c3
SHA1

1bdcd403468131bbe5b040c4166a36afd170a7a5
SHA256

dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577
SHA512

d778d22d99bead835d1d31ef05df735e6ed0679d38815a4dfb9e4bd32fff2febcd56c0e0695ebe481979b70d066c6110f174e985083c0f35f4dac507369b2087
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qi:CcaClSFlG4ZM7QzMR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe

Deletes itself 1 IoCs

pid	Process
3696	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3696	svchcst.exe
812	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe
3696	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
3696	svchcst.exe
3696	svchcst.exe
812	svchcst.exe
812	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1868	3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe	85
PID 3712 wrote to memory of 1868	3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe	85
PID 3712 wrote to memory of 1868	3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe	85
PID 3712 wrote to memory of 2680	3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe	86
PID 3712 wrote to memory of 2680	3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe	86
PID 3712 wrote to memory of 2680	3712	dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe	86
PID 2680 wrote to memory of 812	2680	WScript.exe	94
PID 2680 wrote to memory of 812	2680	WScript.exe	94
PID 2680 wrote to memory of 812	2680	WScript.exe	94
PID 1868 wrote to memory of 3696	1868	WScript.exe	95
PID 1868 wrote to memory of 3696	1868	WScript.exe	95
PID 1868 wrote to memory of 3696	1868	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe
"C:\Users\Admin\AppData\Local\Temp\dcd2aadcb1a25ac56da2e975d5e91a0d58816ba99f4bb010a238b9d74f28b577.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
964c12e6e714dde6c7aad6cbe8883d94

SHA1
074a344d6bde7a148d4057bd7925a5f96d378bcc

SHA256
67e880affded6536f9d1f6f5c75cb67348ef6cbd2d5f23b2cc037c2f4008406d

SHA512
0a56196fce9f233194ec229428db6888e1d8276c9d81f311803d34aa334eb3178c171b37ae61b7340118af863716aaa401a99f075f75a374260e061b914373e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c89f9ff8ef448219d5dbf0bf340f6c1d

SHA1
2505f6eb19e0857f26a25d7d1d4837299c7ff6b1

SHA256
66be32572ac847bb5f7e7092a7c2b983fa44b18521b44275d82b277862f4594b

SHA512
9bd81e2c3bead7057c15c8c78e5c0701f326fb374ea58c85755a1dca85b86db62132eefe9b222dedd5c24dcb10fde688772e1cff4d70633074d12d5fbdcd0a4e

Download Submit
memory/3712-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download