9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207

Analysis

max time kernel
94s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
Size

1.1MB
MD5

e0608aa6ff2b004c9e62926b12b65c55
SHA1

33ead8da20f7c1dd6981a7bfb3967c6f3919657f
SHA256

9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207
SHA512

10219ceb8eb0f95c7e4b47690defe841fe76d183285a1af57c1c73f4cb2428c84e4d50cca93623551a8ea04d5204caa03c118340f97603fc93e40a55c1be905d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QN:acallSllG4ZM7QzM2

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4600	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4600	svchcst.exe
2408	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe
4600	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
4600	svchcst.exe
4600	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4924	3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	87
PID 3952 wrote to memory of 8	3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	86
PID 3952 wrote to memory of 4924	3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	87
PID 3952 wrote to memory of 4924	3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	87
PID 3952 wrote to memory of 8	3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	86
PID 3952 wrote to memory of 8	3952	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	86
PID 4924 wrote to memory of 4600	4924	WScript.exe	93
PID 4924 wrote to memory of 4600	4924	WScript.exe	93
PID 4924 wrote to memory of 4600	4924	WScript.exe	93
PID 8 wrote to memory of 2408	8	WScript.exe	94
PID 8 wrote to memory of 2408	8	WScript.exe	94
PID 8 wrote to memory of 2408	8	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
"C:\Users\Admin\AppData\Local\Temp\9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
717e3640ff6bce0b0da67d0e6f289b46

SHA1
ee26a8ee1e30d8411375d3d226ed12dbac7d7bca

SHA256
f0fa11af517795d21bc33692da5d05d0d09f2f61c3da135955ab00432b70c977

SHA512
9e68a821e00585025f0332304c50e34968ce697aea6592cf4c12a0515139b8eba7bec071aebaa250b80a7d79c79758361a39f5150d8fc31562e5a20cd3027af3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aed55f6448026ba45e00c54804c56b07

SHA1
c1a3a38f9c1a71a35608ac27534cad2f19e35c98

SHA256
2fdea6c02f2032a73678251bca221c6d682849cb23e9a624aeb79e8e5616c96c

SHA512
19d5f6c6b4eee40ffc7eedda31e347a9218ae950f7f56b2d08570455e669455ececfe85daa9e89f1b4e03ceb0a59a4163ea0e27daad633554a25842b464e760f

Download Submit
memory/2408-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3952-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3952-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4600-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4600-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download