4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
Size

1.1MB
MD5

237cd8d412fdf74c62321918632adc01
SHA1

4266dafd3fca28f943a25862e1a21e6347003817
SHA256

4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068
SHA512

1be7db88db5dccc437e6846294892831306b8fd664b76334f0de579566f4e935494d24c8c68ff64ea4c914dd8a3e64235ad109e40d485d480671dd69a14b8bf5
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QT:acallSllG4ZM7QzMk

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
812	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3240	svchcst.exe
812	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe
812	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
3240	svchcst.exe
812	svchcst.exe
3240	svchcst.exe
812	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2224	2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	87
PID 2512 wrote to memory of 2224	2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	87
PID 2512 wrote to memory of 2224	2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	87
PID 2512 wrote to memory of 3716	2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	86
PID 2512 wrote to memory of 3716	2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	86
PID 2512 wrote to memory of 3716	2512	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	86
PID 2224 wrote to memory of 3240	2224	WScript.exe	89
PID 2224 wrote to memory of 3240	2224	WScript.exe	89
PID 2224 wrote to memory of 3240	2224	WScript.exe	89
PID 3716 wrote to memory of 812	3716	WScript.exe	90
PID 3716 wrote to memory of 812	3716	WScript.exe	90
PID 3716 wrote to memory of 812	3716	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
"C:\Users\Admin\AppData\Local\Temp\4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
deec220bba225473b410e2e51934da25

SHA1
52c146645075272604747c9b2c98142de81329a9

SHA256
abfc2def373d2348457541d72f27d27c8b6e233e82b4f31ec4dc5d72aade3dba

SHA512
2539225c0ecfdb2aef115affb8c576d257b0a153b1994a19f26c4586ab1279e4d292595ece72ca5ebe3541ba446479f76178efda69ef846c63253438be4d5258

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f8f44e87155e714e13427ccff65ba068

SHA1
1cefad54e687079d8c205d06b19b851703bc0b82

SHA256
a26749c069f863d1f50f80f8779b5c8299da99bb0eb24f4a62ce90d152ff818e

SHA512
abf48d2631f201f9104a8506253352e27ffa1341c2827484b8dc693db539349595e6bc38c218a89664b9fdcc4aa2bf4b0a3ec5ae56d31de1dd3a69a07e9ca377

Download Submit
memory/812-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/812-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2512-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2512-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3240-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download