31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
Size

1.1MB
MD5

457ab0703a43880417c382e283a9965c
SHA1

d6143419a6f4becc6cb81d193f9f7b0fbf878710
SHA256

31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5
SHA512

46c79266823c5a5dc26d3dc40b06410ebe454aaf68f6ba751763eec55e1a128bf4642b7c27d055d93fb3a857f6268be94a4b3dd69845b5c6dd378e595a14358b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3524	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1628	svchcst.exe
3524	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe
3524	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
3524	svchcst.exe
3524	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4760	736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	86
PID 736 wrote to memory of 4760	736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	86
PID 736 wrote to memory of 4760	736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	86
PID 736 wrote to memory of 3004	736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	87
PID 736 wrote to memory of 3004	736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	87
PID 736 wrote to memory of 3004	736	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	87
PID 4760 wrote to memory of 1628	4760	WScript.exe	94
PID 4760 wrote to memory of 1628	4760	WScript.exe	94
PID 4760 wrote to memory of 1628	4760	WScript.exe	94
PID 3004 wrote to memory of 3524	3004	WScript.exe	93
PID 3004 wrote to memory of 3524	3004	WScript.exe	93
PID 3004 wrote to memory of 3524	3004	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
"C:\Users\Admin\AppData\Local\Temp\31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ad60719ddc903975912f4e9f6fc7d985

SHA1
a06bcdca8e58839d452bcb54e57e76a9b330b916

SHA256
8747fc9f12f7a1ef2140f691c7340a1f36f925c1c370261c1de2e03855242f39

SHA512
88444674415a5c82a34f7f98752653cfb1e4c60a81da73a7aa8b5c1e7c2f6c39c40d5ad0ced204560eb03204960e613cffe1421dcc41f178a1a1ef9ad199c7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
90592ff6a7fa500874ede264da48c440

SHA1
d66605dc691feca31385061d404cc7037237d569

SHA256
f54d8c087f6138967b7876b32d28a3f8b47a65fc01461fcb332930cf04b8358a

SHA512
000b4dbd77ab25b5258119e25e542885aa3d0771a538fe5873fa8c4bdb4ce19b391115ac6d1e28f1f216c7684bb7e469f0ed4f6beef1bf127fe34e8cb6d5995b

Download Submit
memory/736-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download