364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe
Size

1.1MB
MD5

065aa720666cb7919d68cb773a89e9e9
SHA1

379be637b2b92eda1ee43fdebcbc849369f36190
SHA256

364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822
SHA512

3f2bd88b790db16d295796ba69b92687f6ef1a94c169c7fe9d54c2c4a36079392cb2cdc4d8dc61bff32a6f816b46dcfef9383519c289fde3c8e1ce00d3c8f2e4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qk:CcaClSFlG4ZM7QzMT

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2300	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	svchcst.exe
2216	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2764	WScript.exe
2900	WScript.exe
2900	WScript.exe
2764	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe
2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe
2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe
2300	svchcst.exe
2300	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2764	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	31
PID 2132 wrote to memory of 2764	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	31
PID 2132 wrote to memory of 2764	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	31
PID 2132 wrote to memory of 2764	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	31
PID 2132 wrote to memory of 2900	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	30
PID 2132 wrote to memory of 2900	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	30
PID 2132 wrote to memory of 2900	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	30
PID 2132 wrote to memory of 2900	2132	364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe	30
PID 2900 wrote to memory of 2300	2900	WScript.exe	34
PID 2900 wrote to memory of 2300	2900	WScript.exe	34
PID 2900 wrote to memory of 2300	2900	WScript.exe	34
PID 2900 wrote to memory of 2300	2900	WScript.exe	34
PID 2764 wrote to memory of 2216	2764	WScript.exe	33
PID 2764 wrote to memory of 2216	2764	WScript.exe	33
PID 2764 wrote to memory of 2216	2764	WScript.exe	33
PID 2764 wrote to memory of 2216	2764	WScript.exe	33

C:\Users\Admin\AppData\Local\Temp\364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe
"C:\Users\Admin\AppData\Local\Temp\364a650141fa7206350a6540560be77b77c8e0f9cf07d723f4fbab2d1fae8822.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
adc5496b9674d84c05289d33f7b1d322

SHA1
2fc1d19678e276e7b037a2f3bc98e0db17785fd9

SHA256
a803e762f291fdc7a5945bc6d5c6a69219da1efd6dc1d1f4cb17eda6a5a272c6

SHA512
9152359eb527c380e3aa84a00ec5faab3946d7f51f203874c45ca441aeb9baf1286706e3a4a748678039094667b6ef192cfa46a302440bba791de0467521b791

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ff4780ae100f1f7e58391d90d5d20a3f

SHA1
3a38d9845a6006da2d73248d6d5e5284824edd6a

SHA256
7fdb9b7d2783c2d62bc3df4456b237667995e78da955a9024d9cc78f487b8415

SHA512
d86a117b99f303bad3ed9ddd326b334c97e07e1814e27841a37e948d5111b72807d56c7af95def0bf6fbd31172ce48fe185a27edcbc2f5b68bfbede5a71933b5

Download Submit
memory/2132-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download