85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
Size

1.1MB
MD5

0fecbee9db43020501daa323ded7ce4e
SHA1

8ea52da7be008a8f3307b55225692b2dd2082cfc
SHA256

85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b
SHA512

2427a8fe86b8a706d0722e86b748ada83fd15ca2909430c3bcd53ab65464f13875ccd86c05227ee1f2162c137c0a1e4a69cca86746b17cdab635fbb906dd8838
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4496	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
4496	svchcst.exe
1464	svchcst.exe
4108	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
4496	svchcst.exe
4496	svchcst.exe
1464	svchcst.exe
4108	svchcst.exe
1464	svchcst.exe
4108	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1644	1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe	86
PID 1636 wrote to memory of 1644	1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe	86
PID 1636 wrote to memory of 1644	1636	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe	86
PID 1644 wrote to memory of 4496	1644	WScript.exe	92
PID 1644 wrote to memory of 4496	1644	WScript.exe	92
PID 1644 wrote to memory of 4496	1644	WScript.exe	92
PID 4496 wrote to memory of 1808	4496	svchcst.exe	93
PID 4496 wrote to memory of 1808	4496	svchcst.exe	93
PID 4496 wrote to memory of 1808	4496	svchcst.exe	93
PID 4496 wrote to memory of 3204	4496	svchcst.exe	94
PID 4496 wrote to memory of 3204	4496	svchcst.exe	94
PID 4496 wrote to memory of 3204	4496	svchcst.exe	94
PID 1808 wrote to memory of 1464	1808	WScript.exe	97
PID 1808 wrote to memory of 1464	1808	WScript.exe	97
PID 1808 wrote to memory of 1464	1808	WScript.exe	97
PID 3204 wrote to memory of 4108	3204	WScript.exe	98
PID 3204 wrote to memory of 4108	3204	WScript.exe	98
PID 3204 wrote to memory of 4108	3204	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
"C:\Users\Admin\AppData\Local\Temp\85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b922b39aff3d7abaa510a2d7f9fb38f8

SHA1
b5d6f4a70c69a17e789bdc73fbc03c4fed51f8e2

SHA256
26bf8ddfd7432f364cf4c91e8cc23d6e5dbf876a3fc14ecf0d3f318b653d7998

SHA512
d19fdceced876b2e2352811e10baf0b30c523d9373c0c2beb8b4da8f3c99177f5df299aec713d88d0106a2659d05458989ae16267da411605ae8d4480d5614c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
39625d583a2cab94d57f26cfa53eb24d

SHA1
c9a2d2fbc7304c8e383badb3da279a6acb23ebec

SHA256
a95944ccd9702c94e0d1bbb8b7d84c228c3588380914760613e40305a2067a57

SHA512
e60105586214f5f4da3a93c78399e09d2fda682e1ce1a2d5e63af5f5340996785da297f0dd34985631e8cea6e51e97ed4d9154361e0d1ce33bcb54a99f9aedc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9136d67afa12244534a22da8f0ed9ae3

SHA1
ab878b85d682fff04de2c83d7751f44709d20d9f

SHA256
26aa03b8e86baeec4362b758d4c73f8be9ad39f97eabb2becdc32c23ae74d729

SHA512
dfddad07d3529b34d8a9ef8890c170412f45725ff5ca87ca19a5dfeefd4194f434321f181e5b9010d77e745c3645b0b1aaad2734baa59332f8981ee69f8e5b51

Download Submit
memory/1636-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download