8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
Size

1.1MB
MD5

ca8a4a75921275a9c47c47eec9d8e595
SHA1

acc4c54842cfe19fccffd8708a72ae54828fd224
SHA256

8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238
SHA512

36e551359d1c009f31168ae210b048654a424aba51a9b585bdeabbd4b8460e76246cf5acca61aeaf91fb53a9f67a15ab0c8759e01a6731daed73af68cbe04c1e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QB:acallSllG4ZM7QzMS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4712	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
1464	svchcst.exe
4712	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
1464	svchcst.exe
1464	svchcst.exe
4712	svchcst.exe
4712	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4816	244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe	84
PID 244 wrote to memory of 1144	244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe	85
PID 244 wrote to memory of 4816	244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe	84
PID 244 wrote to memory of 4816	244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe	84
PID 244 wrote to memory of 1144	244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe	85
PID 244 wrote to memory of 1144	244	8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe	85
PID 4816 wrote to memory of 1464	4816	WScript.exe	94
PID 4816 wrote to memory of 1464	4816	WScript.exe	94
PID 4816 wrote to memory of 1464	4816	WScript.exe	94
PID 1144 wrote to memory of 4712	1144	WScript.exe	95
PID 1144 wrote to memory of 4712	1144	WScript.exe	95
PID 1144 wrote to memory of 4712	1144	WScript.exe	95

C:\Users\Admin\AppData\Local\Temp\8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe
"C:\Users\Admin\AppData\Local\Temp\8f87ed6e10f5b8b5469a30664fa7b4f4825726471678de850a10d64f740ed238.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
057bf4261f76d92fde989090b91824b4

SHA1
2f8a6c3ef1943e58ae9808dd73ee9323f55c72d9

SHA256
51aa9a91c404f263bdabc48e666d7dc53df18a63945aba29d96aca01cc8af644

SHA512
c780ed6d5c20ff8452f0bfa897cff516487d21a8c9ee936df91ad8ced34b4e770964fd6d003904cf2795a78ee7002ac1f21cbb1ee82129d1f57aa7ec157e90c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a46e97b206e2517c386cc4d91ae7e0fe

SHA1
e625042eeb67ca67c04d520ad5b99dea3cdecd3d

SHA256
861adad0959a1652a97c05421a879e6064f965f57f7599079b6374951748d825

SHA512
4800199279c181744db149b106921065e69ff48f8f02b25f8ad183c5b71df78c69b048493f2d8b122cac8b66a71b650f867e6bdb0545e520433ce2e1bdee0182

Download Submit
memory/244-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/244-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4712-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download