9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d

Analysis

max time kernel
95s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
Size

1.1MB
MD5

f3ade788763f98cc17ea40feeb687df3
SHA1

b0e2023d1ecc4cc540eb95bb0314aaca137dee9a
SHA256

9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d
SHA512

aafa3d861bb070ab47c8de98c824ab5657d7e3dec969a17c0a737d47b22c843b6a6c256f805152535106d3a90a64ecf91c64758407e8bff14d076c769ce1d982
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qx:CcaClSFlG4ZM7QzMC

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3732	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	svchcst.exe
3732	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe
3732	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
3732	svchcst.exe
3732	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4408	2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	86
PID 2800 wrote to memory of 4408	2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	86
PID 2800 wrote to memory of 4408	2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	86
PID 2800 wrote to memory of 1120	2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	87
PID 2800 wrote to memory of 1120	2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	87
PID 2800 wrote to memory of 1120	2800	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	87
PID 1120 wrote to memory of 3732	1120	WScript.exe	93
PID 1120 wrote to memory of 3732	1120	WScript.exe	93
PID 1120 wrote to memory of 3732	1120	WScript.exe	93
PID 4408 wrote to memory of 2660	4408	WScript.exe	94
PID 4408 wrote to memory of 2660	4408	WScript.exe	94
PID 4408 wrote to memory of 2660	4408	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
"C:\Users\Admin\AppData\Local\Temp\9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f1510224a4ef83b732317dae87e0e2b8

SHA1
91b51d7fe36ec6dbc7898eaf7220e295e94f3e8a

SHA256
6cff0f613682ae0d53c7aa9f6457b72420ca84e9caa9bcb1cffee40d0e9ef6e6

SHA512
e26da3ab533c558e89f8cf9ee74444b33d5118d7f2571439ef7aa0da36dee8c44e75bcb8e086a90dc5ee520e45db7f98bd29b7a2cef4927d3cf1a287a38606ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f3efd4e73024163e3b78b3082c17f508

SHA1
459e65c7f33478b4d5c2575a0c5ebf82644aee6a

SHA256
536f66f03073cb11b43e37e43508d1220e9fd3a6efc3f86a1c80ae8abccfb35c

SHA512
142939becc1b464933120dbb2ffdb1583f5009b28d3f71db418cda60cbfbd2c83660b7f9a8e267c5dbf1ef5ad5197371030a0c923151113b9012fac9529ed81c

Download Submit
memory/2800-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download