f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a

Analysis

max time kernel
95s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
Size

1.1MB
MD5

6971b3e1ac3a0bdbdc8dbb8d8b2d3a6c
SHA1

3f6e61324733af3c84cc8a108ee0591bfad98a96
SHA256

f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a
SHA512

a99567234593d2a6eeefd8e000899eab5e4140e6207186ff4e80c17ba8bb163b11958a5a0f410e779a7df053e1348c92e4e1deb5816e8c8ba201061f127d5777
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4596	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4596	svchcst.exe
232	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
232	svchcst.exe
4596	svchcst.exe
4596	svchcst.exe
232	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2360	5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	87
PID 5048 wrote to memory of 1640	5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	86
PID 5048 wrote to memory of 2360	5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	87
PID 5048 wrote to memory of 2360	5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	87
PID 5048 wrote to memory of 1640	5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	86
PID 5048 wrote to memory of 1640	5048	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	86
PID 2360 wrote to memory of 4596	2360	WScript.exe	93
PID 2360 wrote to memory of 4596	2360	WScript.exe	93
PID 2360 wrote to memory of 4596	2360	WScript.exe	93
PID 1640 wrote to memory of 232	1640	WScript.exe	94
PID 1640 wrote to memory of 232	1640	WScript.exe	94
PID 1640 wrote to memory of 232	1640	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
"C:\Users\Admin\AppData\Local\Temp\f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7134fe702128f9d796169e8031970cd7

SHA1
6b9f28b7a20cb797587e607a0728f621fb3c3bfe

SHA256
3560a1a4812301b054499122454f847707655045558f386944c8bf3183f488f3

SHA512
91592be06c5ae0d634349bcf12e8ba3843027d2fe949361d0fca5d9105a7f19ec460cdd02e3e1ceb700de5d7db04c6218301e5e527b55d809f1c812421424f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0597882dd7141c4e0fb7f3d23bcaff30

SHA1
07ae8548e4ff09ac3390c6a16e94c233eb4adf02

SHA256
6208114db30be1bb1da93ee166c38cdb0c2ce671e8240d6911bb0fbcd0446676

SHA512
c7795f81b485f1d127a7140e43767e75b6e0932263d7b22ec36f8ff22a9ee55809e1202751880426c903d649924f5b2374b549f780168e526c4f236a95dc102c

Download Submit
memory/232-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/232-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4596-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5048-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5048-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download