fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
Size

1.1MB
MD5

4c0362119a33419b35a74a7dde7600ca
SHA1

70701e22ff6f0df8add4f2fa39a6f0cbb40807d3
SHA256

fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324
SHA512

3ac9eab65d79c53d47c8d8c3d477d87352d8387ffe319c9a54d52ecfb54e7865fd44759845ad2b8a332fe18371420948d80ccef0de09900f54634bdcca4a3dbe
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q1:acallSllG4ZM7QzMu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2880	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2880	svchcst.exe
4888	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
2880	svchcst.exe
2880	svchcst.exe
4888	svchcst.exe
4888	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2516	3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe	82
PID 3028 wrote to memory of 2516	3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe	82
PID 3028 wrote to memory of 2516	3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe	82
PID 3028 wrote to memory of 4736	3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe	83
PID 3028 wrote to memory of 4736	3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe	83
PID 3028 wrote to memory of 4736	3028	fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe	83
PID 4736 wrote to memory of 2880	4736	WScript.exe	90
PID 4736 wrote to memory of 2880	4736	WScript.exe	90
PID 4736 wrote to memory of 2880	4736	WScript.exe	90
PID 2516 wrote to memory of 4888	2516	WScript.exe	89
PID 2516 wrote to memory of 4888	2516	WScript.exe	89
PID 2516 wrote to memory of 4888	2516	WScript.exe	89

C:\Users\Admin\AppData\Local\Temp\fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe
"C:\Users\Admin\AppData\Local\Temp\fdcfea4bb48c4ceb5d191c3aac127e0cfaf15a4c91fdf6414b5f8ade12991324.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a1c8a511f79a6c4f65561d87568560e8

SHA1
5a05b0938e8f0f3b2d4d2da0affa62a6488e150d

SHA256
0ae8bffbde192b03f1cfd8e22d644d690e90369aef0a016f3a75e18cf4e60e2c

SHA512
6c084c652d1767d1c2741c936abf1d644e194da08f1e1132f933d22cdf4df5cb8dd0be93769b5602b4d0a66c3337f7428b0371f13a032a7ae6566866133b27ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2c2964d9450e2d801df95332a08642be

SHA1
eb68d5049dbea12b3b1e199822bb4b7bec1ba0f4

SHA256
e80afb5b4608c11c1f76e0fe7e412c8041d7b6b3567ab28ab416a6d268b0b090

SHA512
0e185baa38bd011259dd43ddf64c679ed4aeae3db879772662f3925e0b3a0eacb2492d77e5b1a50f6ae2a44b8ca78f68312b0dc07fecafc151b3373737a3b062

Download Submit
memory/2880-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4888-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download