277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
Size

1.1MB
MD5

0fddd6f821103452bbde47583d04d9ba
SHA1

9249b18716a15fd91f18260f96d1474d116a56f6
SHA256

277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543
SHA512

7c2d32d9e716ea2dfe5bae96e9c9081a88a091bf965838103f1834133f5406998842aac8d028bcb483cdbadd2a89cfbb162d51015bb4d610e852e193dfd7a008
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2256	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	svchcst.exe
2508	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
2256	svchcst.exe
2256	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1672	624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe	86
PID 624 wrote to memory of 1672	624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe	86
PID 624 wrote to memory of 1672	624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe	86
PID 624 wrote to memory of 5104	624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe	87
PID 624 wrote to memory of 5104	624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe	87
PID 624 wrote to memory of 5104	624	277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe	87
PID 1672 wrote to memory of 2256	1672	WScript.exe	93
PID 1672 wrote to memory of 2256	1672	WScript.exe	93
PID 1672 wrote to memory of 2256	1672	WScript.exe	93
PID 5104 wrote to memory of 2508	5104	WScript.exe	94
PID 5104 wrote to memory of 2508	5104	WScript.exe	94
PID 5104 wrote to memory of 2508	5104	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe
"C:\Users\Admin\AppData\Local\Temp\277863fca7130ec7ed80fbaf2a82eb8f3e3cc1b2bad72c4298d82be94ba52543.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
43f228f8e5929e6ec045010f544d472d

SHA1
77fa3dfa241bbdb892e203ac79ef097a5d2d32a4

SHA256
388cc2b1670442107c645f5b769f9505c7d611d416f578b9c8d180ee8e3e5ec3

SHA512
1bb0c378c19b59f429d130c3c5810f88e7a7e5086195ed6dbb7327e83db821a34cdc1b9aa60704e0095c3962f4896954f3e4eb57e2562fae16b57b1e48aa7491

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
632c9294c50ab05b2327e7e3d17aa88f

SHA1
71f9b9529e1d47b765ed9977104dd30e49c61529

SHA256
2946c0f740a19bc30e18909b2c71e4464b8194483283541624e49c41a9db1e9f

SHA512
c9b0f2d4580086106c5db08f1b3291107136a8a333ee88e612583ed400f8152c058032aaa2f8a46c92dd4408d8ea6a1eb6c15762092d6a001a248a96c5296e36

Download Submit
memory/624-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/624-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download