c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 15:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
Size

1.1MB
MD5

e6263da0167497a840ae92b28e1cd565
SHA1

e3a2981bc6c0a86f8d446bf19ec10c5a2b7a1ddb
SHA256

c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e
SHA512

699285b4bf6c0022b12dd06a0b6a44cfc444b9c8cd89f1083cbe7f45136ecce0f7c913aedc436e1e88e106b849af59bccc23967b6078d6fe68b85eb69cff104a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q4:CcaClSFlG4ZM7QzMP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe

Deletes itself 1 IoCs

pid	Process
2988	svchcst.exe

Executes dropped EXE 4 IoCs

pid	Process
2988	svchcst.exe
3544	svchcst.exe
3764	svchcst.exe
440	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
2988	svchcst.exe
2988	svchcst.exe
3544	svchcst.exe
3544	svchcst.exe
3764	svchcst.exe
3764	svchcst.exe
440	svchcst.exe
440	svchcst.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 3632	772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe	86
PID 772 wrote to memory of 3632	772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe	86
PID 772 wrote to memory of 3632	772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe	86
PID 772 wrote to memory of 4992	772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe	87
PID 772 wrote to memory of 4992	772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe	87
PID 772 wrote to memory of 4992	772	c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe	87
PID 4992 wrote to memory of 2988	4992	WScript.exe	93
PID 4992 wrote to memory of 2988	4992	WScript.exe	93
PID 4992 wrote to memory of 2988	4992	WScript.exe	93
PID 2988 wrote to memory of 3756	2988	svchcst.exe	94
PID 2988 wrote to memory of 3756	2988	svchcst.exe	94
PID 2988 wrote to memory of 3756	2988	svchcst.exe	94
PID 3756 wrote to memory of 3544	3756	WScript.exe	97
PID 3756 wrote to memory of 3544	3756	WScript.exe	97
PID 3756 wrote to memory of 3544	3756	WScript.exe	97
PID 3544 wrote to memory of 2088	3544	svchcst.exe	98
PID 3544 wrote to memory of 2088	3544	svchcst.exe	98
PID 3544 wrote to memory of 2088	3544	svchcst.exe	98
PID 3544 wrote to memory of 3804	3544	svchcst.exe	99
PID 3544 wrote to memory of 3804	3544	svchcst.exe	99
PID 3544 wrote to memory of 3804	3544	svchcst.exe	99
PID 3804 wrote to memory of 3764	3804	WScript.exe	100
PID 3804 wrote to memory of 3764	3804	WScript.exe	100
PID 3804 wrote to memory of 3764	3804	WScript.exe	100
PID 2088 wrote to memory of 440	2088	WScript.exe	101
PID 2088 wrote to memory of 440	2088	WScript.exe	101
PID 2088 wrote to memory of 440	2088	WScript.exe	101

C:\Users\Admin\AppData\Local\Temp\c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe
"C:\Users\Admin\AppData\Local\Temp\c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:440
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4d97ecef19940535798faecb205319a8

SHA1
4fbb5af7415871fbaf15f759bd361715e5a3b1f5

SHA256
70cb0701a840f615f38917881651a7fb3a45309b84582603357b21d2290d556e

SHA512
81196b488b44ca806909837669ed7cc37d8d13f2aa40f4f5f7f1cddcbc51c6ef6e5e9a86811b262ca9f0dd9faff2ced3ce294c3c7f8e2db671137c634aea3c21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
17c8751e706958d0c74541d83d9c9223

SHA1
42b6b7a030727fe981eefeed29eac1c1ada7d43e

SHA256
5ecf65d204a646f6779b0a596d3adb7b923354a2a48fe26a51ac4589844268cf

SHA512
31766219ec49f05dd4c800a3388d58a29b2e3fe0bfeea22acb89c9d2f2423b036aceb9d44756d168b56651df33b1cb64b38c70cf22561221e4c6ade4d3f1b856

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
630c248de317e8ab7e4c1d751bff1ee0

SHA1
4e8d10169cde22adbbca2da6c9abd50b174ac404

SHA256
bf8647a1b7477bdd4be8cde2d87d7d987e2409c573e6723f914023a93d35d252

SHA512
7fab8c2ed31e548939b888af684a90bcda1ee086395f50343fb527c73f75a0eae7bc6593ef7a3f359ff1d6c4053d59477d646f16af862d1760ea5816cb39ba8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
78c69b37e2a1cd5907afb4522b8c3943

SHA1
e9e654aa1010bf98e0bacb636fa83a237997b4ad

SHA256
dab954aaf8c068ff45404f6cda4627ab9488e7d838c8b1779a140ae28b5d9003

SHA512
0c8e5b5098ab2d9d5011a172208759ca4673015a00fa8735aa76d95dee612c83fb8df95241f71bbd930bb96bfcc432741ffa0a31c10035b24555b43088dea4f4

Download Submit
memory/772-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download