a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
Size

1.1MB
MD5

7618446ec2f789bf7ac8574974e8fc15
SHA1

2fbbdf47ead354d51ade6024376265ca33e4c968
SHA256

a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e
SHA512

c4a93d9d0c53e21313612f7a0b2779034d3e457f59da32069cd46f0027e768ecef0ba91b662aaa02aaf2443fe3acde10acf37afe80c86a21afaff58719d0ba4b
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qg:acallSllG4ZM7QzMn

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3612	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
3612	svchcst.exe
3992	svchcst.exe
4844	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe
3612	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
3612	svchcst.exe
3612	svchcst.exe
3992	svchcst.exe
3992	svchcst.exe
4844	svchcst.exe
4844	svchcst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2468	2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe	88
PID 2944 wrote to memory of 2468	2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe	88
PID 2944 wrote to memory of 2468	2944	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe	88
PID 2468 wrote to memory of 3612	2468	WScript.exe	94
PID 2468 wrote to memory of 3612	2468	WScript.exe	94
PID 2468 wrote to memory of 3612	2468	WScript.exe	94
PID 3612 wrote to memory of 2988	3612	svchcst.exe	95
PID 3612 wrote to memory of 2988	3612	svchcst.exe	95
PID 3612 wrote to memory of 2988	3612	svchcst.exe	95
PID 3612 wrote to memory of 3852	3612	svchcst.exe	96
PID 3612 wrote to memory of 3852	3612	svchcst.exe	96
PID 3612 wrote to memory of 3852	3612	svchcst.exe	96
PID 2988 wrote to memory of 3992	2988	WScript.exe	99
PID 2988 wrote to memory of 3992	2988	WScript.exe	99
PID 2988 wrote to memory of 3992	2988	WScript.exe	99
PID 3852 wrote to memory of 4844	3852	WScript.exe	100
PID 3852 wrote to memory of 4844	3852	WScript.exe	100
PID 3852 wrote to memory of 4844	3852	WScript.exe	100

C:\Users\Admin\AppData\Local\Temp\a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
"C:\Users\Admin\AppData\Local\Temp\a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3992
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
45ab05c1ef1f51c4de0809fd2952e6fc

SHA1
0bb4437766b1800a391ca6b9af578830e6c5fe10

SHA256
fba8f714d11c4548783892f368bebd1b0d90aee297afb3cd7f58c671cf0d7d9b

SHA512
5bd8109870f4046c5b01f5f9efde6a1624472d5924a795cd978ea5a40e7990f881e459175fbb904cbf54c12bdc5785c48caa3986897e3db0ca0e94f41a44302d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0cfd38dcb51f1d2816be3ec8b0e8d3d1

SHA1
1a2a867426cfb8c7cb4239b02a4445581bca6b4e

SHA256
4858168966a9afbf2f200bb492f3ea64c22242f4eab2e9c4538341d0f52044a8

SHA512
3b7f917b7a3ac3167027feb75db620b5886b1365761fcabd7f182f96a99080a75b14a53f7a5cf01e7f203a37a17b7fa85f8b02baf0df9c045dce965964838819

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c5a851f9b4842276e9555f8dff75b0a

SHA1
11e20bd8a6ab21e36ca5dd4cba2af2cc9bc814bd

SHA256
a464102948f6917c9962d3055143f86db77d8aa51436af26dfd5606cfb8e2ba5

SHA512
df0a59aae05ea65d70cd89f27278527c06bbb2f4171357299e0af68a5610dded0babace12032bf51af031a18add426b6b31787e91a89210461086cba66d02879

Download Submit
memory/2944-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3612-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3992-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3992-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4844-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download