0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
Size

1.1MB
MD5

27419bfefe076b915dbd3f6513e99c88
SHA1

2930539ccf4360129b9930038da057fa0658c3ed
SHA256

0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1
SHA512

ddda681bc5b3a32865864979583e424c82d28d9ce32a43dbbef8e80a8be9884d9ae4cc9a2c93e09d99b847c8c5257aa726efe179449c6f75f2a28ee62aa46930
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QG:CcaClSFlG4ZM7QzMd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2952	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	svchcst.exe
2988	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
2952	svchcst.exe
2952	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2248	4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe	87
PID 4964 wrote to memory of 2248	4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe	87
PID 4964 wrote to memory of 2248	4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe	87
PID 4964 wrote to memory of 4544	4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe	86
PID 4964 wrote to memory of 4544	4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe	86
PID 4964 wrote to memory of 4544	4964	0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe	86
PID 2248 wrote to memory of 2988	2248	WScript.exe	92
PID 2248 wrote to memory of 2988	2248	WScript.exe	92
PID 2248 wrote to memory of 2988	2248	WScript.exe	92
PID 4544 wrote to memory of 2952	4544	WScript.exe	93
PID 4544 wrote to memory of 2952	4544	WScript.exe	93
PID 4544 wrote to memory of 2952	4544	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe
"C:\Users\Admin\AppData\Local\Temp\0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9a6b5ed13ee351fe96cdd5541f4cdea3

SHA1
3ab5d63e9e0ec54a4851ad3c4078fdc990088ba1

SHA256
82eb983e9984e369c4bf62472e25c787cbb0c2828363ac77aa7b9ffddfc44a82

SHA512
3461bd62b32acca54ca0d7baaa57bf69a0e4c24dc81b56887152871af6084952eb6cd925cb0750941424266c4da92375347d183a6f6f14452937ccc7eee5e05a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5fff95479822e7523a658f15c2b9be13

SHA1
acc9c702208f3fc10b8b34e52a79d213def3f7bb

SHA256
e2af47da544e5b4cca8fd06ae75477a20197986a9bb9b4127c8160fd8cdbd065

SHA512
26a4a9c0931a8ddfdd28628452b384e7761721058b190806040be271b3c91764dba8763d4f07c9595b5f6290cd5c855edf5a343a2ff7b689e261ae2796eccecd

Download Submit
memory/4964-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download