2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab

Analysis

max time kernel
93s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
Size

1.1MB
MD5

566cfd9a30a3938adbff75fc1be936ea
SHA1

90f8601e0957bab5abdbc595776f11ea69e9d38b
SHA256

2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab
SHA512

c6d1c5fbdf8c6c4ff477765bd9945b1afc84bb7aa6fc54e861e6cc2809ea55ff245e59c29f3c8ac85949bd5e3e30f591dd8717fab45b40a355ee7b956ac9ec43
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qy:acallSllG4ZM7QzMx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe

Deletes itself 1 IoCs

pid	Process
3300	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3300	svchcst.exe
3448	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe
3300	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
3300	svchcst.exe
3300	svchcst.exe
3448	svchcst.exe
3448	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3488	4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe	82
PID 4356 wrote to memory of 3488	4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe	82
PID 4356 wrote to memory of 3488	4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe	82
PID 4356 wrote to memory of 1148	4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe	83
PID 4356 wrote to memory of 1148	4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe	83
PID 4356 wrote to memory of 1148	4356	2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe	83
PID 1148 wrote to memory of 3300	1148	WScript.exe	89
PID 1148 wrote to memory of 3300	1148	WScript.exe	89
PID 1148 wrote to memory of 3300	1148	WScript.exe	89
PID 3488 wrote to memory of 3448	3488	WScript.exe	90
PID 3488 wrote to memory of 3448	3488	WScript.exe	90
PID 3488 wrote to memory of 3448	3488	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe
"C:\Users\Admin\AppData\Local\Temp\2d3081ada98d35b4ffb16b43b8eb987aebb40e191d9f86fae917b414fa0a03ab.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
dff82c21e8da5829f66bf494193d7d1b

SHA1
154bcdd5270d3d52caf6abc2114ee73ae43b5828

SHA256
3075c8db8195bb712e3f9f19ea3261a278adc3ef465ff15770f41696e55bcd7b

SHA512
16169a837e0e2933a20e23bad0efcac3b79c91038c73d7d48830abd36efd3ca5559351f5f0ab5f4b737efe4eeb02899730a06068754496c284300e919a13fef5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
71cf172d20616668f51de6999780a924

SHA1
aa27aba50623e8ef74b7690a560a76d266e6e45a

SHA256
f583f21110de91a1a93c576a7fdb27be38b0ad4fd37b91f714a5c9b633d78f34

SHA512
ccd477b5d3b550a7ecd75e1e080a6b653271e332fe57beac9ad4710f21a27f129127a37ef89abc5e691a544c50190f46010a81ed1d1d66de4c71719fcc78fdc0

Download Submit
memory/3300-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3448-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4356-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4356-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download