e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
Size

1.1MB
MD5

37464cc84d3f976411a57bc27af8744a
SHA1

70ab0fb1011e8f4336e7e4229e6880fcdc744a2b
SHA256

e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2
SHA512

ae26daa0281190034da81cbacd6b0c816a52bf13a1fceb63444774ac68b82930434749b1783d2067be48d39eaec52fe2f81823763236f468ff236e566cdbaff2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzM4

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
384	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4764	svchcst.exe
384	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe
384	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
384	svchcst.exe
384	svchcst.exe
4764	svchcst.exe
4764	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 5032	1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe	85
PID 1840 wrote to memory of 5032	1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe	85
PID 1840 wrote to memory of 5032	1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe	85
PID 1840 wrote to memory of 1792	1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe	86
PID 1840 wrote to memory of 1792	1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe	86
PID 1840 wrote to memory of 1792	1840	e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe	86
PID 1792 wrote to memory of 4764	1792	WScript.exe	92
PID 1792 wrote to memory of 4764	1792	WScript.exe	92
PID 1792 wrote to memory of 4764	1792	WScript.exe	92
PID 5032 wrote to memory of 384	5032	WScript.exe	93
PID 5032 wrote to memory of 384	5032	WScript.exe	93
PID 5032 wrote to memory of 384	5032	WScript.exe	93

C:\Users\Admin\AppData\Local\Temp\e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe
"C:\Users\Admin\AppData\Local\Temp\e2f56113787f14e274a9fd136f80a70f88ec711f44988b31c88eb2cb979113a2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
32a7e61dee21505c53e36cd7b8e38c4a

SHA1
d52136196b976f4af57ba1234790c3e520e00501

SHA256
c47a2fdbd354fb883931a2208348dbd982f8f6a76b6af15f194e719ceae8f201

SHA512
22f65e3cbf90423f6902b9bcae389f4b080d05e8cdccb50759c68b81ef3cf859c595e241fc40b3ec745634d4e80155b226e7bcb3521bc70ab13a7df83204c606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2c08eca92f6733b69da5776c3a286d5b

SHA1
bdf35f23004868f7cc3352971e2388c361b1e339

SHA256
1b5b93e1f5ebdd4e15a981848f4f0732e0d974b5fcd3dceb06cf5743e03e5380

SHA512
550b4d3117b6203afda79fa89939c6f1b679f75671540eeae3d18a5bbb50e6410972037691bdf2d861575bd5e7a5e4a860d1693d9b4afa30040c5376c4854c44

Download Submit
memory/1840-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download