eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe
Size

1.1MB
MD5

fef94742d47f0301ed41daf9dde8a694
SHA1

d193110ecc36bd252bbb1675703f4d47f0a81829
SHA256

eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f
SHA512

b553856c3cc8ca0ef086639b7ccba8b8c67fe195020c694051bfbe2396ca070f65427b5c6ab3e06135845045f6d350cffec19d618fa6acca2d27805480879b2c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q5:acallSllG4ZM7QzM6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2436	svchcst.exe

Executes dropped EXE 5 IoCs

pid	Process
2436	svchcst.exe
1780	svchcst.exe
2324	svchcst.exe
1884	svchcst.exe
1896	svchcst.exe

Loads dropped DLL 8 IoCs

pid	Process
2636	WScript.exe
2636	WScript.exe
1664	WScript.exe
2832	WScript.exe
2832	WScript.exe
2832	WScript.exe
1596	WScript.exe
1596	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe
2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe
2436	svchcst.exe
2436	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1896	svchcst.exe
1896	svchcst.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2636	2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe	28
PID 2736 wrote to memory of 2636	2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe	28
PID 2736 wrote to memory of 2636	2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe	28
PID 2736 wrote to memory of 2636	2736	eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe	28
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2436 wrote to memory of 1664	2436	svchcst.exe	31
PID 2436 wrote to memory of 1664	2436	svchcst.exe	31
PID 2436 wrote to memory of 1664	2436	svchcst.exe	31
PID 2436 wrote to memory of 1664	2436	svchcst.exe	31
PID 1664 wrote to memory of 1780	1664	WScript.exe	32
PID 1664 wrote to memory of 1780	1664	WScript.exe	32
PID 1664 wrote to memory of 1780	1664	WScript.exe	32
PID 1664 wrote to memory of 1780	1664	WScript.exe	32
PID 1780 wrote to memory of 2832	1780	svchcst.exe	33
PID 1780 wrote to memory of 2832	1780	svchcst.exe	33
PID 1780 wrote to memory of 2832	1780	svchcst.exe	33
PID 1780 wrote to memory of 2832	1780	svchcst.exe	33
PID 2832 wrote to memory of 2324	2832	WScript.exe	34
PID 2832 wrote to memory of 2324	2832	WScript.exe	34
PID 2832 wrote to memory of 2324	2832	WScript.exe	34
PID 2832 wrote to memory of 2324	2832	WScript.exe	34
PID 2324 wrote to memory of 1596	2324	svchcst.exe	35
PID 2324 wrote to memory of 1596	2324	svchcst.exe	35
PID 2324 wrote to memory of 1596	2324	svchcst.exe	35
PID 2324 wrote to memory of 1596	2324	svchcst.exe	35
PID 2832 wrote to memory of 1884	2832	WScript.exe	36
PID 2832 wrote to memory of 1884	2832	WScript.exe	36
PID 2832 wrote to memory of 1884	2832	WScript.exe	36
PID 2832 wrote to memory of 1884	2832	WScript.exe	36
PID 1596 wrote to memory of 1896	1596	WScript.exe	37
PID 1596 wrote to memory of 1896	1596	WScript.exe	37
PID 1596 wrote to memory of 1896	1596	WScript.exe	37
PID 1596 wrote to memory of 1896	1596	WScript.exe	37

C:\Users\Admin\AppData\Local\Temp\eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe
"C:\Users\Admin\AppData\Local\Temp\eb8f3082355f749da5757f06a6e5114a07cc44343e6a575824550c0bea38777f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a86c1c24307a6e16039834c933324ec7

SHA1
e28a07aa12e6aa2e01a9f205093af8a76507ac29

SHA256
222bddcabb8160d5acba089dce0798968942a173fce0a1bb938164867fdbc307

SHA512
1019300e14a0f2340e69e42dbe34422e192a81d11b27b5a47a29fa826404451281e9fa45e0366c787fb4993d6d4039ee094a89d1b225ae61da19435fcbef6187

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0cf3de13364ac1e6c39f7bb679a0604e

SHA1
2660ce6d6a33eaed2118d8a0eb54717ecca8c280

SHA256
6273b88cce518182c88b7f4bb93c5d2b67f8c7ad1c9b5cbee788ea0c001a5d5a

SHA512
6faf4cdee0a5602048b0faf361f1c49b22b37bed352af381d379e280f8ae5aa8ec99f299cb7415c05ed7b8073435f4d2a66a52c8a6f4eecc5a16e7f018e38067

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
52a4e6b7e16de57226c65457fdb5534e

SHA1
2cc48f2efce0f969378ee49ffcd99240487d0b10

SHA256
5ccddb20137b5ea2916efc3c83ecb2c0089f9446fd058de773c2917e80d8a71b

SHA512
e5523348c5993a217984f8bcfb715e48a4db4d5cfe739081224c798f2f7c19ce6b77a48ef3d46959af66d63a091bbf88e0891edc56ad3bedc75e4d0d7e32f492

Download Submit
memory/1664-29-0x0000000004760000-0x00000000048BF000-memory.dmp

Filesize
1.4MB

Download
memory/1780-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1896-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-38-0x00000000042B0000-0x000000000440F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-20-0x00000000042B0000-0x000000000440F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-15-0x00000000042B0000-0x000000000440F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-61-0x0000000004970000-0x0000000004ACF000-memory.dmp

Filesize
1.4MB

Download