6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
Size

1.1MB
MD5

0affc22adc1b63fad35ecb96278f2a7d
SHA1

be12b2ac059dc054bc252f4b884d4af82823683a
SHA256

6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd
SHA512

dcd131e1e112936cbc57673d034bb5b3e8bca7bd0a27224b4723cfb94cbde0a66e4c7d9f3215f3a11f97b6dac566834c5eff318d4781bb57146c14db9e57a977
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qu:acallSllG4ZM7QzMV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2044	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	svchcst.exe
1304	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
2044	svchcst.exe
2044	svchcst.exe
1304	svchcst.exe
1304	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3948	2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe	87
PID 2700 wrote to memory of 3948	2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe	87
PID 2700 wrote to memory of 3948	2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe	87
PID 2700 wrote to memory of 264	2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe	88
PID 2700 wrote to memory of 264	2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe	88
PID 2700 wrote to memory of 264	2700	6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe	88
PID 3948 wrote to memory of 2044	3948	WScript.exe	96
PID 3948 wrote to memory of 2044	3948	WScript.exe	96
PID 3948 wrote to memory of 2044	3948	WScript.exe	96
PID 264 wrote to memory of 1304	264	WScript.exe	97
PID 264 wrote to memory of 1304	264	WScript.exe	97
PID 264 wrote to memory of 1304	264	WScript.exe	97

C:\Users\Admin\AppData\Local\Temp\6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe
"C:\Users\Admin\AppData\Local\Temp\6909d334200f9dd5af701300d72f03581803db920ed378c5bd711127283ef7bd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
32fb29c7d0a755ae994bd721bc65b3ad

SHA1
a01d7512d7e80ea513d2b94d580c89b0f9b9c722

SHA256
8a73c564fcba40fc8e901fac2427f2377d51c0861e07e1ae74c799a210e955ef

SHA512
efc8b73ee6d6f84b7abbbf092a135e86decc87b4aa02fa2b39cfba5b2e2fcc684c681d648d334ab78aed5e2680091e9207e9f1f3650f4d0f36bf1f6b84b618a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2c539aed7eb98639acb0aae20be2392c

SHA1
2762827e0039f6dda2211779bc288a43e4acadfe

SHA256
14241b3f7b53f14b18180d72f0c437ddb5f8cb4bae6eec680e25350f781770a4

SHA512
f1409a554ac2b8d27223903c7fe82f21b1ea5f1ebfecdff48b1430c351cdf907f295007b11ec1890e15afbebb5c95c29037d8aee998941afb20149333922432d

Download Submit
memory/1304-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2044-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2700-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2700-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download