b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
Size

1.1MB
MD5

2750136f497f32bba6f49bfc8c22c17e
SHA1

a02560f4835ad515dd8ae906a36032e11ffa669f
SHA256

b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302
SHA512

304ed8aaa0c6bebc409ff99af6240dab2d33e3cd5c18acfe5b6cc36227b14136516cfa8fd299df9d3a8d0824c5762f5d13a61d84e756bce09cdcc929a3534d43
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q6:acallSllG4ZM7QzMZ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2648	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	svchcst.exe
1884	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
1884	svchcst.exe
2648	svchcst.exe
1884	svchcst.exe
2648	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2020	1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe	85
PID 1620 wrote to memory of 2020	1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe	85
PID 1620 wrote to memory of 2020	1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe	85
PID 1620 wrote to memory of 3140	1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe	86
PID 1620 wrote to memory of 3140	1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe	86
PID 1620 wrote to memory of 3140	1620	b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe	86
PID 3140 wrote to memory of 2648	3140	WScript.exe	95
PID 3140 wrote to memory of 2648	3140	WScript.exe	95
PID 3140 wrote to memory of 2648	3140	WScript.exe	95
PID 2020 wrote to memory of 1884	2020	WScript.exe	94
PID 2020 wrote to memory of 1884	2020	WScript.exe	94
PID 2020 wrote to memory of 1884	2020	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe
"C:\Users\Admin\AppData\Local\Temp\b98cad0071022dc71e0b2229ea88556c377d9a02f9fd3b597ccc2cf8a936e302.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5f2e3694c16bb21c5d3c1e6269c7eca5

SHA1
0d5978ee59ddf3dbb8be5b2bfbc021763ed98151

SHA256
a01b167d9f5708acf9f5114730e35a70a9be0bd44a0a2ae47218a341c48c5d45

SHA512
62ec33ecac0b0eed02a138aabe23dbbbf71567c4b7de347002415b84772d31ba50d9d5a30a7a4d1b7b7ae9307827aa47c345fb5edbe995e9945c73bb21b6a7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eaeffcb10e2f75fafcd4a57972ac66bd

SHA1
d09b464cdf449d9f18eae789259ecf0d9f10a1df

SHA256
6d8bf57323a93e001d7fe975844fff61f0a60dea29556bc505de839bc73db0b0

SHA512
c41209f853e924dab977fe35ad6f917a12bf3ba2824071e5ec5ab9be89ce507a18e95d0c27dcfc1f57bca6468ab4c02640f4fd3f621e4d4657fe60163ae934bf

Download Submit
memory/1620-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download