4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 17:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
Size

1.1MB
MD5

f9ba6348c07339bdb3321e2b26e3f7ae
SHA1

6eb9d1c03f4f99813c3908e746cd652165c8dc17
SHA256

4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f
SHA512

d07efaf2a56b87d8c31b8192df7f13ce3264794298b8b2d965a53abb2ab8cb9ec9d65036379f9d79b3b4cf5c12e6b81c557d46b089e787cbdab03c4be72bc87b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qo:CcaClSFlG4ZM7QzMv

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe

Deletes itself 1 IoCs

pid	Process
2404	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2404	svchcst.exe
3012	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2404	svchcst.exe
2404	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4676	2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	93
PID 2904 wrote to memory of 4676	2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	93
PID 2904 wrote to memory of 4676	2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	93
PID 2904 wrote to memory of 1236	2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	94
PID 2904 wrote to memory of 1236	2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	94
PID 2904 wrote to memory of 1236	2904	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	94
PID 4676 wrote to memory of 2404	4676	WScript.exe	101
PID 4676 wrote to memory of 2404	4676	WScript.exe	101
PID 4676 wrote to memory of 2404	4676	WScript.exe	101
PID 1236 wrote to memory of 3012	1236	WScript.exe	102
PID 1236 wrote to memory of 3012	1236	WScript.exe	102
PID 1236 wrote to memory of 3012	1236	WScript.exe	102

C:\Users\Admin\AppData\Local\Temp\4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
"C:\Users\Admin\AppData\Local\Temp\4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
96a9234642395f66bd03588f8877853f

SHA1
e063677bc769a4d71130e4d672aef697ab3d8d6d

SHA256
e6c106a1a116fb29b60469129ed51a90c40bb8402105ff6281dfff83cfd52d79

SHA512
2ceecb35f6eac9fb0c6a3df4bf5e7fb5b24f0542a44162a0913eacd3c44554561474ef9ce42a9fb4f4f44b7d639b4c4625e890c10274e10256964f41257b0e51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c08b6b1df60fa2a7e4908fbaa260fe2d

SHA1
79cf0abca4f1ee4558f5c27aa9fcd0da8072c9fd

SHA256
ac241a9505bf2d69044f7f4b06c6b804aa4caf5db9144379c0dfe8fb76c5fff1

SHA512
8ae97b6b6a97c5e2b3a1cf9362fc694e392650c9214df5c22236de8b479fa42b1c1d1aebcfebd4306afb730e82b3f72b4f0da69fb09bf392a68424d899790afa

Download Submit
memory/2904-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download