344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd

Analysis

max time kernel
117s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
Size

1.1MB
MD5

9c7195e38abdb5efe077dda4a0282362
SHA1

1827ad89046b9634f7453da8cd86602c52209f7a
SHA256

344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd
SHA512

95197a42866be0922edcfd9f84a150f65aa8a87811d72d65a882c14c7633285df44b1dfb596bd26127d5216a7f610d1be5a4c9feea5ed37970db27193f647cf1
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q7:acallSllG4ZM7QzM8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1812	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1812	svchcst.exe
4356	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
1812	svchcst.exe
1812	svchcst.exe
4356	svchcst.exe
4356	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2148	5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	86
PID 5012 wrote to memory of 2148	5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	86
PID 5012 wrote to memory of 2148	5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	86
PID 5012 wrote to memory of 2400	5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	87
PID 5012 wrote to memory of 2400	5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	87
PID 5012 wrote to memory of 2400	5012	344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe	87
PID 2400 wrote to memory of 1812	2400	WScript.exe	89
PID 2400 wrote to memory of 1812	2400	WScript.exe	89
PID 2400 wrote to memory of 1812	2400	WScript.exe	89
PID 2148 wrote to memory of 4356	2148	WScript.exe	90
PID 2148 wrote to memory of 4356	2148	WScript.exe	90
PID 2148 wrote to memory of 4356	2148	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe
"C:\Users\Admin\AppData\Local\Temp\344d771e645dc18532605c3cd375c6569a2b110d437203dbb70c0b503f64f6fd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8e5fd580553a2dd930b1558820874807

SHA1
f9dff6a2ab26b58fab67ddc2258f2ce56f00ee04

SHA256
adff8de3d047c0f4cb63c1a37741d5bc7ba77931f1a67448969743464756c66e

SHA512
421d96bcbb4014fdb9762e81885391cc0e2abde25a107c2621962bd404fc11c0803b0fc314416bedd1f66d944ee199e89b1f13d6241c61febb14c5d2d141aa60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
de14ea6c2ccc6426eb023ad76634b1a9

SHA1
82c304bbd03a0f5920272afc5f33d40bb6c95bba

SHA256
82dbb51116151b39d01e724aa5813a98663a94728f23289131657eb1b2d38695

SHA512
c7128282a8c5866fe988b84b9ed0173c866ebd6ba0c17cf1da559c2005ae86ba6cc42d6e643918926f852bff28d0ef673d6eae0d090e91fbc12823ff913803e7

Download Submit
memory/1812-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4356-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5012-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5012-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download