c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d

Analysis

max time kernel
117s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
Size

1.1MB
MD5

bceb8935ffcaa966cfe7956865070c3c
SHA1

ee43801806db0062b521e2ffc4e63eca93d44027
SHA256

c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d
SHA512

d60074960825f33ddbdf8f8e83e4a33ee89cd30969b40a09387515381b6783d06dc1eb3592b8c921eed4dc01385f19b493889b6242e7765c2c35e1079727aaa2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qh:CcaClSFlG4ZM7QzMC

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
4596	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
4596	svchcst.exe
2480	svchcst.exe
4488	svchcst.exe
1372	svchcst.exe
2216	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
4596	svchcst.exe
4596	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
4488	svchcst.exe
4488	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1648	2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe	86
PID 2972 wrote to memory of 1648	2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe	86
PID 2972 wrote to memory of 1648	2972	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe	86
PID 1648 wrote to memory of 4596	1648	WScript.exe	89
PID 1648 wrote to memory of 4596	1648	WScript.exe	89
PID 1648 wrote to memory of 4596	1648	WScript.exe	89
PID 4596 wrote to memory of 856	4596	svchcst.exe	90
PID 4596 wrote to memory of 856	4596	svchcst.exe	90
PID 4596 wrote to memory of 856	4596	svchcst.exe	90
PID 4596 wrote to memory of 4476	4596	svchcst.exe	91
PID 4596 wrote to memory of 4476	4596	svchcst.exe	91
PID 4596 wrote to memory of 4476	4596	svchcst.exe	91
PID 856 wrote to memory of 2480	856	WScript.exe	92
PID 856 wrote to memory of 2480	856	WScript.exe	92
PID 856 wrote to memory of 2480	856	WScript.exe	92
PID 4476 wrote to memory of 4488	4476	WScript.exe	93
PID 4476 wrote to memory of 4488	4476	WScript.exe	93
PID 4476 wrote to memory of 4488	4476	WScript.exe	93
PID 2480 wrote to memory of 1408	2480	svchcst.exe	94
PID 2480 wrote to memory of 1408	2480	svchcst.exe	94
PID 2480 wrote to memory of 1408	2480	svchcst.exe	94
PID 2480 wrote to memory of 1524	2480	svchcst.exe	95
PID 2480 wrote to memory of 1524	2480	svchcst.exe	95
PID 2480 wrote to memory of 1524	2480	svchcst.exe	95
PID 1408 wrote to memory of 1372	1408	WScript.exe	96
PID 1408 wrote to memory of 1372	1408	WScript.exe	96
PID 1408 wrote to memory of 1372	1408	WScript.exe	96
PID 1524 wrote to memory of 2216	1524	WScript.exe	97
PID 1524 wrote to memory of 2216	1524	WScript.exe	97
PID 1524 wrote to memory of 2216	1524	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
"C:\Users\Admin\AppData\Local\Temp\c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1372
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2216
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ddf22c94ca3f68699654d51f03987b46

SHA1
f7404f6800ec37a56ba953b0c0eebaad7b407a08

SHA256
82507827669bfc48855e9126f3f0e5492c7e74d75624dd9ff573bfcd5c18a0ab

SHA512
ccf81f7236f20f786dfd277c268210039b3e97640d81751f721eae5f9f89f599407acdc15d88a2d9b91c1008e37a6173092bfb919698c615b168be98d2a4b76c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2c372cc7d93ac8897da52b91e115148d

SHA1
48b47de6f3ecdc553f65fd06667c0c17e1221533

SHA256
97ece5faf63d85849c3b43762a0379d8720db8069246965e0c23939f1893d126

SHA512
9ed21c4aac07ed0492707fb97430a2601af266d6f546a4e915fd7901e439a77b811bad4a5fba53af80a72abd0c751c73465fbb3d36794f4b3a8d5dfdb4a70576

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
31ed8b144c74b18077f15dfa6bdfca54

SHA1
b283aefc7186b97252485a0d54ef579fbf163cb6

SHA256
2e002130529f023a3274fdaf652a976e9744f8b43aa48ccd4c2ff987a5c77c79

SHA512
0f7c035eb12e69ff2dee5bb08d6658d7f2a90d9b800cabc6ee82d953da9754ceb088ec2d57a2d13c3fd6a3cddf0f4a5cf282d74d6add9b9b32241dc8986fae24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9579042257f31676f6f41631d3e17559

SHA1
ade52d61a2766b41d50931acef9a7a7b86c80594

SHA256
4ea8676ed8732f6f6abe1e5a059bcfcc5d049ba622d45b4669cb89386499f0b0

SHA512
65589b8d1340ab7fa0f21b52a83879f459535775f4a13260ac8a21c607525270fcfb713af386addb020b0a3be60002589715d9221c6ada9dd52bcef678946f74

Download Submit
memory/2972-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download