Overview

overview

7

Static

static

3

02209b2a01...3N.exe

windows7-x64

7

02209b2a01...3N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe

  • Size

    1.1MB

  • MD5

    03b7a88bc3b17d60691d3e22f66abaa0

  • SHA1

    77ec0c964c2993e4de2581cf41fe16edb1e0d273

  • SHA256

    02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823

  • SHA512

    99ff66784a2a79afa4d5c2eecc068ec1afcba58f3be29b264df236da3ebfda33b448456df6c05aae873220d60c42a0c4b96095da5f5af54fd8c6a1ee3acc0545

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q0:acallSllG4ZM7QzMj

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe
    "C:\Users\Admin\AppData\Local\Temp\02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3304
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:976
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3156
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    754B

    MD5

    8339d2d57e26d80b5ee23cd021dd2af0

    SHA1

    68c6231cdea5ffbfaf8dc5fca53b7cbb012be68c

    SHA256

    c56e4921daccec8b156a101f2fab2a9dbf82719571728864543203c399df5258

    SHA512

    1f10bd77b691a24e02380582d4bf67794a810aa0df4db0b977257b26d59f376777cde75af922ec25f4a8f16b629ce6536242cb4e9db8a93ce0bc12e234b0409d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    c0b5050d31a3c3086d56cf03dbf39e65

    SHA1

    2f16721133b7efffc3b7c495803a409b47223c1f

    SHA256

    4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

    SHA512

    be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    ac5657b89850d269ba3ab50062b7f9fb

    SHA1

    27e5d3174da360a6cb3b79a43144f78eb0aa18ee

    SHA256

    c58b35442e84067c25b3a6e68496b06775edbeaa121771bf89f974485bf9a959

    SHA512

    77ab2fe76f6370e0d431ef21e31d862a6e0ca69dc24c176d497aa5cbd32f3acf4e47f9603f519c8d6c1d563d93d9b0b24a26342b4ed650072fafcba29d61ff1f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    b841591ab361ac02bd5168c9f69c6904

    SHA1

    f82ace35115f8b4ea427b6533793f9f9dccf4efb

    SHA256

    53cb3e3800c23720ddc2f88907e8eaf868fa63ab49eeee9495030c1a0dc52c5d

    SHA512

    f43ea3b5dd8c5f7168a001da81814fb2b2c842e6be3bee2bc6e8867753026b7620f4fdc243f92e3b1bcb6df76c407babc97c6e5c0c1594d9a66347c9622d9257

    Download Submit

  • memory/232-0-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/232-11-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3156-29-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3312-28-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/5060-24-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

    Download