6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 21:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
Size

1.1MB
MD5

a51f6d453964ff9e4b83b0941522d6f3
SHA1

cbf6644f137ba049928f018c20567550c01ced74
SHA256

6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d
SHA512

f901b2aeed4263597fa6c68413ec4a50734d9d3f4ad06aacce2a2db1e3bd460c86eb3d475ec6a0d5452b8031bb6bc1e18ada4162d7c9469ffed6217045f6e613
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe

Deletes itself 1 IoCs

pid	Process
4588	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1036	svchcst.exe
4588	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe
4588	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
4588	svchcst.exe
4588	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 2888	4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe	85
PID 4336 wrote to memory of 2888	4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe	85
PID 4336 wrote to memory of 2888	4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe	85
PID 4336 wrote to memory of 3420	4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe	86
PID 4336 wrote to memory of 3420	4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe	86
PID 4336 wrote to memory of 3420	4336	6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe	86
PID 3420 wrote to memory of 4588	3420	WScript.exe	94
PID 3420 wrote to memory of 4588	3420	WScript.exe	94
PID 3420 wrote to memory of 4588	3420	WScript.exe	94
PID 2888 wrote to memory of 1036	2888	WScript.exe	95
PID 2888 wrote to memory of 1036	2888	WScript.exe	95
PID 2888 wrote to memory of 1036	2888	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe
"C:\Users\Admin\AppData\Local\Temp\6d5a0d02de23917a65d4bcc95d5db12669d6fdd4b826508641a5c922db80269d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0a34af37790f15a4f65b9ada79995361

SHA1
c89df4fc959a65b05171eac4e3f190748eef9b43

SHA256
43cd2445137bf647a600a492b68baa25ceeb8f6646cf1d50f08a1dcce7fd88e6

SHA512
e7e207f569b166782279a6537e9e1de76cd43efe50a0d56d917fe76b960035c5de403ea9ebf426b8df83933d455105ae85d736ea2e82442e263bb43b3f6b7660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4471357ee8d5fa7c7758214aca89da8e

SHA1
55b6de99f9ffcd3197f8a4ae029f6cc9ae62a023

SHA256
f262ab09fe6e7a1c3a8758ce05aa584b1ca187088302866468a836b39f8ec74d

SHA512
ae0128ee151600c065924502f33261e9150b84624b9dc4d2a32d6bdafb097a52a08b69ed052c3b4488372d8723dfcb3908d8dbbae01b2d95bf994011c925c9f8

Download Submit
memory/1036-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4336-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4336-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4588-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download