14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 19:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
Size

1.1MB
MD5

f211a663509895a12ebc79e1d23f375b
SHA1

49dc9138b97a8b5b1caa9e8fa4a077695d6cad37
SHA256

14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e
SHA512

1dc968a899bf29b4d8d03f40763660971fed83b456815f58060e0081f4acc3990c930ecdc91f43fc2fdb85b9bfbbff2580d9d7221f0afdea3d6f35db80308e1a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qg:CcaClSFlG4ZM7QzM3

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3552	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3400	svchcst.exe
3552	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe
3552	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
3552	svchcst.exe
3552	svchcst.exe
3400	svchcst.exe
3400	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4736	3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe	86
PID 3964 wrote to memory of 4736	3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe	86
PID 3964 wrote to memory of 4736	3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe	86
PID 3964 wrote to memory of 404	3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe	87
PID 3964 wrote to memory of 404	3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe	87
PID 3964 wrote to memory of 404	3964	14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe	87
PID 4736 wrote to memory of 3400	4736	WScript.exe	89
PID 4736 wrote to memory of 3400	4736	WScript.exe	89
PID 4736 wrote to memory of 3400	4736	WScript.exe	89
PID 404 wrote to memory of 3552	404	WScript.exe	90
PID 404 wrote to memory of 3552	404	WScript.exe	90
PID 404 wrote to memory of 3552	404	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe
"C:\Users\Admin\AppData\Local\Temp\14d75314c76da54e3a00780d699dd961cbdf8e4a8f068f9b026b924633fdc99e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
26e360efcf6a87ea8a997db425f82a1e

SHA1
7b8cc3f4ec0e0f4dd318955a618d06992bb14e57

SHA256
30bccbf6b5fef85ee7d7262326278f133d2004da6fd8aba20b58577acfd3281c

SHA512
cf5b20fce0a753a22ec69eb90dfdd4462a04fa0385868fd3bf19d87f5f2eaa4479805f77047ecae1017103c15b72d46a950b019c3dfa8f87c5aa7a3bf2ead691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
01c369fa30c601ba1b59db0fd9a52b93

SHA1
d0fe95d159e3d9176e8ef6d26a178ffadce6a253

SHA256
ead1451b86b44e2d1bb5bfd5398224326d0fa9367cfff52847a83fb7fe08b5d5

SHA512
c343337f87c91183130e932819afc8108f10314091fc452cb5d4ef02cf4f51d3609eee8b6a6601be5bb949fa5586fbec67d99e66ea5f41c66abb6cddeda185f8

Download Submit
memory/3964-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download