586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
Size

1.1MB
MD5

be1078338f65694c7b9f15554b5b3c73
SHA1

a627e86bc006a95e51457c28efd0dcbb1d08a996
SHA256

586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425
SHA512

b1c8024708301261e9a70949ef33348b349380e8abc5bd280e71860bfbc4d52eb9551d8290d78669312f15ea987cef3a9d7b0c35929ba5ca7436411ddf2bb8d7
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QH:CcaClSFlG4ZM7QzMA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4456	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4456	svchcst.exe
2956	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
4456	svchcst.exe
4456	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3984	2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	86
PID 2860 wrote to memory of 3984	2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	86
PID 2860 wrote to memory of 3984	2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	86
PID 2860 wrote to memory of 2024	2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	87
PID 2860 wrote to memory of 2024	2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	87
PID 2860 wrote to memory of 2024	2860	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	87
PID 3984 wrote to memory of 2956	3984	WScript.exe	93
PID 3984 wrote to memory of 2956	3984	WScript.exe	93
PID 3984 wrote to memory of 2956	3984	WScript.exe	93
PID 2024 wrote to memory of 4456	2024	WScript.exe	94
PID 2024 wrote to memory of 4456	2024	WScript.exe	94
PID 2024 wrote to memory of 4456	2024	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
"C:\Users\Admin\AppData\Local\Temp\586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
66261720bce96a87193f351cefea5da1

SHA1
d88af60c1be3520b1193b5efabc4adb9180cb60d

SHA256
50c5e18b1148674f964738034f82b9d3420e879e1821da109d9cac3d2118d509

SHA512
ebadc56da6ff4b62334e2193b6f2ef9a44be07faf85a4abae709773a477264822cef49c61eb7e262fa51cf44c8635b48cf96943283d2e715ffd9581d96a86895

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
af1ec914908544fd51b66cb42a177163

SHA1
45823bf269d04f45473303264c2ceea6a63f98ec

SHA256
e9454c2d312da0ff35eb0e5ccf85f14b01561455124857789197c820bbb95880

SHA512
3f5578f496f38a22cd0d71c49616c5d987953db5b443aadaded254659389f22b29e66ded1cc32dbad2aebafebb8d1e55e7c94a4be1a2980b0f2db111af899d35

Download Submit
memory/2860-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download