Overview

overview

7

Static

static

3

d2fcd384dc...5e.exe

windows7-x64

7

d2fcd384dc...5e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2fcd384dc21870405652958c1133e7b629e80a7e326d2892a82bf97c8300d5e.exe

  • Size

    1.1MB

  • MD5

    c6819887ebfaf9a28fe67c0e3e392675

  • SHA1

    ad0ee2d1c899a22f6f32988baed17f6085f31503

  • SHA256

    d2fcd384dc21870405652958c1133e7b629e80a7e326d2892a82bf97c8300d5e

  • SHA512

    a134b06c82dddd91e0d27a61fe1417d4f96342f01f187b76c07db5ab8e096262d87cadb678ac0f2cea04d70cf4476e0532efde1de0fae79b6ac9b22eb7ad7eef

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qb:CcaClSFlG4ZM7QzMs

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2fcd384dc21870405652958c1133e7b629e80a7e326d2892a82bf97c8300d5e.exe
    "C:\Users\Admin\AppData\Local\Temp\d2fcd384dc21870405652958c1133e7b629e80a7e326d2892a82bf97c8300d5e.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4920
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4936
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:396
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    753B

    MD5

    3e007f2d1f01ab038d8714c1008d79b0

    SHA1

    aec7f3732303ec576e198ee6731b8519af13a32c

    SHA256

    faacd96be15625511c1d27d27112bf5e2828475a9f3a568b9de6452a54ca0fe2

    SHA512

    a5cba2cb4e1e2e03b16933faee70642118bc2d0da9b0e960a5427ba00a046785031b2519420f410179ebf7853345f8432f4b38bbce7dfe2a7f4e175f7006edf7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    072a46f071251f08c67b3aba4c983435

    SHA1

    371837f885eac20c802901026d2e7aa1d4f6cd5c

    SHA256

    0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

    SHA512

    e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    f57f68a3a817c752fcd21e488dd914c0

    SHA1

    856161ed67f7df891de356e44f43a2d12dad1fab

    SHA256

    9ad57beb92923f612febcb9f25e49d9d7400ae8b0d6b7533a58aedaa30e38e8e

    SHA512

    3f5893f5ebb692b7e8f3a805d02012aace8df971a7ae6b0507b86d8df0fdee98c21d562db5325c30978e8f6f1b0a46511e5e808c4244076a3d4c715224dc2afa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    e75bd2c635b6494f56c38027b6fd3b66

    SHA1

    6819ca77be8fdd2ba51b66fb7fd3979dd916c63c

    SHA256

    49097c0fd4ecf20cac6028c94af5f9263e332dbe9a23cf428cc4f8bb8c53d233

    SHA512

    9b747d9536c105ea04dd556d6aa0fd0cda59e178b203af5f6f00a9870e791ba240fbc4b2169047688a78b6fda1deefdfe424bafd435bcf9730d71dc6b9c3574b

    Download Submit

  • memory/3460-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB

    Download