3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae

Analysis

max time kernel
95s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
Size

1.1MB
MD5

e14da869722a5fc49575747207f3121a
SHA1

f82965621ae92a04860f86d01dc02b5ed95bf18a
SHA256

3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae
SHA512

9ba57544ac5f709e2d49e2ad21f7bba4daffc7c8f9d2ae66561c8061b467f737ee56c343bb306ef465f5153d903101b869ea6d6324e2b58d81d4b8add5817da3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QV:acallSllG4ZM7QzMO

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3656	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3656	svchcst.exe
4240	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
4240	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
4240	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3012	3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	86
PID 3108 wrote to memory of 1964	3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	87
PID 3108 wrote to memory of 3012	3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	86
PID 3108 wrote to memory of 3012	3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	86
PID 3108 wrote to memory of 1964	3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	87
PID 3108 wrote to memory of 1964	3108	3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe	87
PID 1964 wrote to memory of 3656	1964	WScript.exe	93
PID 1964 wrote to memory of 3656	1964	WScript.exe	93
PID 1964 wrote to memory of 3656	1964	WScript.exe	93
PID 3012 wrote to memory of 4240	3012	WScript.exe	94
PID 3012 wrote to memory of 4240	3012	WScript.exe	94
PID 3012 wrote to memory of 4240	3012	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe
"C:\Users\Admin\AppData\Local\Temp\3bab88c8d01b16ce8959670af11437155b76ff7c803fbd3a13ec3a8f14d4b2ae.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
43727efd214b5836f06ac1e9c9c6c9ec

SHA1
57ebf925a7e9cf1313f36c2119ce3315e876b490

SHA256
dacf49324b5d436cdb473beae0f9da036f7813584651a19524c6ece5f0649d95

SHA512
f165d7de970ca4afe549713e109623a71558cf85c04dd258c8da195d72d874ea48620e3a470bd4fe28e1df40c9966690ebdbfdb764e016806259c6f6a76ce455

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0997a34d2331b3b871d465d438c3bfd4

SHA1
e64b16bc941c0ef52dc2f13c7c27ee8e3c2c4a64

SHA256
941471139499cef47cbe6fa92635fbeba2003eaf2b9cad3b6c7ee9e8b4e2059a

SHA512
aa2d464d221a5a1bf4a5472a2259577870b553e32d58e96a955a60a38e4ab68ad548b6aadb30a3d5543e6dba7823f796345c84d46759c7e67b3a4d572e91ec5b

Download Submit
memory/3108-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3108-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3656-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3656-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4240-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4240-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download