b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 22:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
Size

1.1MB
MD5

65d70712a640e33fab38931fdb08d0e8
SHA1

db8af98f6e849623735f498c30dce768a567ae3d
SHA256

b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d
SHA512

9bef56dcde77fa760810ca593c0d834b6ebb10a617c42c0a82ae5c12cdfac1fa06c6fd04cab772eb48a01c12f986ee0cdd42a88cf5bec92e2ebdcb335187671c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzMb

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1816	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1816	svchcst.exe
3288	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
1816	svchcst.exe
1816	svchcst.exe
3288	svchcst.exe
3288	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4860	3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	87
PID 3400 wrote to memory of 4860	3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	87
PID 3400 wrote to memory of 4860	3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	87
PID 3400 wrote to memory of 4344	3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	86
PID 3400 wrote to memory of 4344	3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	86
PID 3400 wrote to memory of 4344	3400	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	86
PID 4860 wrote to memory of 3288	4860	WScript.exe	92
PID 4860 wrote to memory of 3288	4860	WScript.exe	92
PID 4860 wrote to memory of 3288	4860	WScript.exe	92
PID 4344 wrote to memory of 1816	4344	WScript.exe	93
PID 4344 wrote to memory of 1816	4344	WScript.exe	93
PID 4344 wrote to memory of 1816	4344	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
"C:\Users\Admin\AppData\Local\Temp\b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a1ff7d486ea3bbad5b11656dcacefbf2

SHA1
5a726f25de9383995e1621d198ba6592f2c80c9f

SHA256
4c50322bc7db5c66e0bd310ddc0972a14d50d099e719eb2b4d4f45db9b402cbf

SHA512
8ebedb16a6228ee17c0a57606003faa902dc857dc553c7854f0e83ae1171dc31c5c13a5a40e5e5c2b1b632e480f04c9dbb5d7277bcfc7a11a0d3d032b7e6921e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6a13c37b2ad4c72164b20cae675066d6

SHA1
b5e5452358d53f11c1fe90108dfd4a6644164baa

SHA256
662fbe40f03a676498ba58c068e1425cdfdcf47d66b34849473a96aa5ea9be49

SHA512
33d98d200873d4cd1e05ad710e45a0aace51aeaa0df74fd22cce4274b31c14d4d13a65288828c52cdc697082b8018f1713d613fc22da5bb2475143a87fd161c5

Download Submit
memory/1816-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3288-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3400-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3400-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download