f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e

Analysis

max time kernel
95s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
Size

1.1MB
MD5

e73af20e87412f354e2e080280a9bdff
SHA1

d9d82c249f6ec0e337acfc040103047b891246bc
SHA256

f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e
SHA512

fd9423a302ede6b2b5dd6cb080affcd1d4db803fae5e5e926e2c882e5aec2b4cc9d5502b13d1c406eaa93ba91ded0431928637feeb76c60c0e3aafc0b5eb049a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:CcaClSFlG4ZM7QzM2

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1448	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1448	svchcst.exe
4456	svchcst.exe
2456	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
1448	svchcst.exe
1448	svchcst.exe
4456	svchcst.exe
2456	svchcst.exe
4456	svchcst.exe
2456	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3028	3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	84
PID 3148 wrote to memory of 3028	3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	84
PID 3148 wrote to memory of 3028	3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	84
PID 3148 wrote to memory of 3488	3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	85
PID 3148 wrote to memory of 3488	3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	85
PID 3148 wrote to memory of 3488	3148	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	85
PID 3488 wrote to memory of 1448	3488	WScript.exe	93
PID 3488 wrote to memory of 1448	3488	WScript.exe	93
PID 3488 wrote to memory of 1448	3488	WScript.exe	93
PID 1448 wrote to memory of 4432	1448	svchcst.exe	94
PID 1448 wrote to memory of 4432	1448	svchcst.exe	94
PID 1448 wrote to memory of 4432	1448	svchcst.exe	94
PID 1448 wrote to memory of 3972	1448	svchcst.exe	95
PID 1448 wrote to memory of 3972	1448	svchcst.exe	95
PID 1448 wrote to memory of 3972	1448	svchcst.exe	95
PID 3972 wrote to memory of 4456	3972	WScript.exe	98
PID 3972 wrote to memory of 4456	3972	WScript.exe	98
PID 3972 wrote to memory of 4456	3972	WScript.exe	98
PID 4432 wrote to memory of 2456	4432	WScript.exe	99
PID 4432 wrote to memory of 2456	4432	WScript.exe	99
PID 4432 wrote to memory of 2456	4432	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
"C:\Users\Admin\AppData\Local\Temp\f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2456
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ba9b986943e51a0c880f9b109fcd4e1a

SHA1
fb97d8a776efbf5cdc79887b88582364a89876ec

SHA256
d0b3ccadcc907efd1d7fd40bf40d71ed97ada8c1e2315484e88a57917c9b6b66

SHA512
831ff7545bda9dda651c0bb80a96dad0c97e83fddcf3e601bc33a5ff858efa36518a98979a3af2ffcf8b5915ce4f40563ce14e6de8c4e205f15097fa07767d83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87ac4c872a7e59ef3ce2521724b4594f

SHA1
b115217a26eeba3ff55c93b144596566106a0461

SHA256
219ba2d26cd7ff5c5566c665103f91ac2134c67e148986af7ef4643d89c996a2

SHA512
4263f1a342ff721d2393e3105d7a49d791c230f5ec5bc04d334ccdbc5593aa37664794de98d1ba99cdbb2e10c857d10574f2cfd43ef6370c4dbba5dd08d0d069

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ed0721bd346046200423200aefcd8cfa

SHA1
1e9d990793a4fe57dbe7d2914e6a62b29f17e760

SHA256
8cc7f4f91d83717504175529ea6bd529dca8d0033d201e88b2857c3675aac822

SHA512
2b16e3b8ca17103b2961a67df7a893d4564eeb17c6296b59bbd7e6d55a00c130603e4c3fa57676744b3ecb92175d57aac82c1152ad97cb39308c7b401b7cb35c

Download Submit
memory/3148-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download