964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
Size

1.1MB
MD5

2247f67bd4d02fd2f444f2d874e39270
SHA1

471a9ab4347d7d60170c25b5144597c190119198
SHA256

964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341
SHA512

0e54d59944b11608ce793c1e98c54e31fffc097bd08e762152c87b90bdec4f13d83791a8a9ca631726957e78404c5124eb5ebfbad527c04266c2bb0ab3ba0423
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qo:acallSllG4ZM7QzMP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4392	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3220	svchcst.exe
4392	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
3220	svchcst.exe
3220	svchcst.exe
4392	svchcst.exe
4392	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 784	1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe	86
PID 1344 wrote to memory of 784	1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe	86
PID 1344 wrote to memory of 784	1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe	86
PID 1344 wrote to memory of 3968	1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe	85
PID 1344 wrote to memory of 3968	1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe	85
PID 1344 wrote to memory of 3968	1344	964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe	85
PID 784 wrote to memory of 4392	784	WScript.exe	95
PID 784 wrote to memory of 4392	784	WScript.exe	95
PID 784 wrote to memory of 4392	784	WScript.exe	95
PID 3968 wrote to memory of 3220	3968	WScript.exe	94
PID 3968 wrote to memory of 3220	3968	WScript.exe	94
PID 3968 wrote to memory of 3220	3968	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe
"C:\Users\Admin\AppData\Local\Temp\964702eaeb7dfd5d8cab8cd057579d4b74317afb05d1aef093e60507bd62f341.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
89c6e390419ce9c43a988d475eb64827

SHA1
881229500f47d61eea960a53ca733d81b5dfea08

SHA256
45156ae71cb39f3261ba008f6c6f68cb6439648d42f3b4a7726f9f7d463e4f5d

SHA512
7060a91d9bb4dee004c5e3e97413d6bf6773587de5b94427c27b0a6d524b81bfb0fd9ab7529f21d55e72e7857e76a8805af57d412bb0b3de86745de853663112

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
16e381e0b0ebdbe48fb2d4ce6d129468

SHA1
fb62bf9a28bd651ad35fbba4bfc99dfb3de3ee67

SHA256
9301ae4298a4248846389e4a6fa2f0c366c7dce88a2e88bf1a1defcb485a27be

SHA512
607952c83cb138a422999b6562d97575d7d39771d4d9ff23122cf1e286897fea24bd9df4b40d93e90db2225bfc1e6183553f204baa68021360ba87f9078492fc

Download Submit
memory/1344-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1344-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3220-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4392-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download