a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
Size

1.1MB
MD5

62a8e1420b2226e59d05bcff84574d85
SHA1

e4edec6189f0f2db63a05d16fca682d302f6ec79
SHA256

a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73
SHA512

bebacc6cb0a0fda11bff2c3e1e51676cc5c943b955fce9116d1ad5352fea9067afb3e932877629a38f8232271f791b5b2c62a445d6619f3729ac7a06a53a4844
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QZ:CcaClSFlG4ZM7QzMK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
2856	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
2856	svchcst.exe
4472	svchcst.exe
3320	svchcst.exe
3496	svchcst.exe
2284	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
2856	svchcst.exe
2856	svchcst.exe
4472	svchcst.exe
4472	svchcst.exe
3320	svchcst.exe
3320	svchcst.exe
3496	svchcst.exe
3496	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3620	1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe	84
PID 1176 wrote to memory of 3620	1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe	84
PID 1176 wrote to memory of 3620	1176	a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe	84
PID 3620 wrote to memory of 2856	3620	WScript.exe	92
PID 3620 wrote to memory of 2856	3620	WScript.exe	92
PID 3620 wrote to memory of 2856	3620	WScript.exe	92
PID 2856 wrote to memory of 2108	2856	svchcst.exe	93
PID 2856 wrote to memory of 2108	2856	svchcst.exe	93
PID 2856 wrote to memory of 2108	2856	svchcst.exe	93
PID 2856 wrote to memory of 1216	2856	svchcst.exe	94
PID 2856 wrote to memory of 1216	2856	svchcst.exe	94
PID 2856 wrote to memory of 1216	2856	svchcst.exe	94
PID 2108 wrote to memory of 4472	2108	WScript.exe	97
PID 2108 wrote to memory of 4472	2108	WScript.exe	97
PID 2108 wrote to memory of 4472	2108	WScript.exe	97
PID 4472 wrote to memory of 5012	4472	svchcst.exe	98
PID 4472 wrote to memory of 5012	4472	svchcst.exe	98
PID 4472 wrote to memory of 5012	4472	svchcst.exe	98
PID 5012 wrote to memory of 3320	5012	WScript.exe	99
PID 5012 wrote to memory of 3320	5012	WScript.exe	99
PID 5012 wrote to memory of 3320	5012	WScript.exe	99
PID 3320 wrote to memory of 4560	3320	svchcst.exe	100
PID 3320 wrote to memory of 4560	3320	svchcst.exe	100
PID 3320 wrote to memory of 4560	3320	svchcst.exe	100
PID 3320 wrote to memory of 1348	3320	svchcst.exe	101
PID 3320 wrote to memory of 1348	3320	svchcst.exe	101
PID 3320 wrote to memory of 1348	3320	svchcst.exe	101
PID 1348 wrote to memory of 3496	1348	WScript.exe	102
PID 1348 wrote to memory of 3496	1348	WScript.exe	102
PID 1348 wrote to memory of 3496	1348	WScript.exe	102
PID 4560 wrote to memory of 2284	4560	WScript.exe	103
PID 4560 wrote to memory of 2284	4560	WScript.exe	103
PID 4560 wrote to memory of 2284	4560	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe
"C:\Users\Admin\AppData\Local\Temp\a2b77b57ca8340f78c08fbc7577545cba0f9fdc1dba7c26a0d8ad9d8c0904a73.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3496
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
950c92f81d02f487c1d3cb8792674b27

SHA1
3bd096b169ba4def42a12722f2b1bc02446b482b

SHA256
d5f8fcfd432950b349bf26bbcc2f6f99d47f1d71ab4003429deb9b892c61afa4

SHA512
305b520cae979d8241eec89e8a023d9fe16784b44ff3bddc62d6d1e6cda5f85c5f98e9ebcce25397ef329ecd752a4f3eb564b1354c193988fdc80753aa0a5268

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e52f7052558e42ef2048513c7aa3d00b

SHA1
0690bf5b58e33063ea6ca9f397343df1ae447da5

SHA256
edb0a90bf2f39cc7c7fb042fb8fb8fe50dbfb8e7b5cfd412c372c4936e3692ef

SHA512
6c91e818eaa188a345a2f07cca95ee6432ca5cd06211490eb05a1e5c7be62127bf9f7b66d4f4d8df9443b391aacb8fbb3e7d4e8c01fb224ea239df4bc63cea9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d0a9806aa91d747e0d019133fc9c1051

SHA1
f1f766910f5c8b5f40e5c131dd0a5b45dc034e48

SHA256
7412960d428325861b2407fa4d28927199654392c5f2ebc8b08ad14647c6b3cc

SHA512
ca4b58d50d5a20d64315b46789fd9ba6edabc315d707b20d60f0e6bc9c03cf1fc8cf8ef4ee3403ded4ddcbc38ee464e9cd46ec6e395aa0c7a2bbe3a2f710f059

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
678476e6cb65fea3535d2563309caeae

SHA1
9b83747c773c28735abdceb138289890373e8896

SHA256
38a2115f5c87871ccec8b189a15f9bd38a7eca5edee6a94ae31e095e748ae2a5

SHA512
0a4c19d1631ef6697ba8bccb95129d18078f635f5ed4f2fbaec94ee3b04227459cb38e3729c8714d771f64f1e5393d6bda7f2309aea6bd283ccd243a01074e78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47f7bfa4372a1d9f31124934c52e08a0

SHA1
d3cf5a687820f0c515c4882d4806d43ba9bbeef3

SHA256
f5190936892a8a37a91825757ee3488f1279063f0d1544330c28579124aee643

SHA512
67fe195b75c936277988ff94e9dd3e460675ad72707e51c5a0726b40851931a4bc7e74d896dfd0606cd658b348b083f45a1a6305d68580beec9fc5deab028911

Download Submit
memory/1176-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download