632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
Size

1.1MB
MD5

52304c8d31077c775b8007b2db2d7328
SHA1

94174a12fb9eb299428f169c428ab128ddb31518
SHA256

632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd
SHA512

8d22c47f47dfa604480599a5e47d9d170801000a02b4b9c7c931581a2a53fedb24f2a159e1367e3a00628662788827df2728c1c9c36f5db4ea99d2f5917783d4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QF:CcaClSFlG4ZM7QzMe

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3748	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3676	svchcst.exe
3748	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe
3748	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
3748	svchcst.exe
3748	svchcst.exe
3676	svchcst.exe
3676	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 640	1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	83
PID 1960 wrote to memory of 640	1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	83
PID 1960 wrote to memory of 640	1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	83
PID 1960 wrote to memory of 768	1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	84
PID 1960 wrote to memory of 768	1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	84
PID 1960 wrote to memory of 768	1960	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	84
PID 640 wrote to memory of 3676	640	WScript.exe	90
PID 640 wrote to memory of 3676	640	WScript.exe	90
PID 640 wrote to memory of 3676	640	WScript.exe	90
PID 768 wrote to memory of 3748	768	WScript.exe	91
PID 768 wrote to memory of 3748	768	WScript.exe	91
PID 768 wrote to memory of 3748	768	WScript.exe	91

C:\Users\Admin\AppData\Local\Temp\632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
"C:\Users\Admin\AppData\Local\Temp\632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
95e12e103a6768de9c98236c149bc1ec

SHA1
0cf1307b561aeba8a73966854062e10a64226728

SHA256
fd391499d8c3383cc38f82417d5590938e16ccbbe07468ad8a3c352ab0eb27e2

SHA512
40205ecbab77e47e5ed446e076d09855496bb6ba5cb80c1c6118056eb0090b4e733cc93e3d0756ec12f558ace039e5fd8c1d711d9405dfe3675e0a244e901d82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
22871ebc67ce94c553174441c8e3d00d

SHA1
c87a02efb1d8918af07e094e7e2c279c563f5963

SHA256
dc03bc2be3feb95af21bcbc7dd3e101e87fad615b5d4419b8a827bf9629aed66

SHA512
a5447d85eccaa79278235e15a37d711ec19dc4f6468e1b78020147ac90a570ea1ef54369e512bc4e316a1bfe6870203e90ba0ba9b80da32adb0900059cb557c0

Download Submit
memory/1960-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download