ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f

Analysis

max time kernel
96s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 18:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
Size

1.1MB
MD5

bb8d28488fcae3c534d7c9f52887f13f
SHA1

369788f4a44fcb38c2402d2eb645536959f856e1
SHA256

ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f
SHA512

3cd8ea69e4e591a7903cdb1e322cebf52cce61a26cb998a98cfcd1a994da4dc8b72792ff912869be2bb96c72b579512401d5c87107e59b28cacc285a977bb6e0
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzMr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4456	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4456	svchcst.exe
4400	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
4456	svchcst.exe
4456	svchcst.exe
4400	svchcst.exe
4400	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3012	2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe	82
PID 2960 wrote to memory of 2088	2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe	83
PID 2960 wrote to memory of 3012	2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe	82
PID 2960 wrote to memory of 3012	2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe	82
PID 2960 wrote to memory of 2088	2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe	83
PID 2960 wrote to memory of 2088	2960	ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe	83
PID 2088 wrote to memory of 4456	2088	WScript.exe	85
PID 2088 wrote to memory of 4456	2088	WScript.exe	85
PID 2088 wrote to memory of 4456	2088	WScript.exe	85
PID 3012 wrote to memory of 4400	3012	WScript.exe	86
PID 3012 wrote to memory of 4400	3012	WScript.exe	86
PID 3012 wrote to memory of 4400	3012	WScript.exe	86

C:\Users\Admin\AppData\Local\Temp\ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe
"C:\Users\Admin\AppData\Local\Temp\ac14a181b75095a6fbdb09c56b2c767ca92d136cd87852e61564ad13524c4d8f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a8765f812eea90951922cd00f87a27b1

SHA1
c9129dfc71c09f38a62dd4685bf4abffa7292fc6

SHA256
84482bb8a5d3bba0c923cbc48c07edc5a5a1a0a361d993abc51a55aa4720dc2e

SHA512
8657fe3e39f59b921687ea9eee40f4ebf110f8f4fd89f3e43d0496cf7103c97d7244d3561a2a7209b97a23e64694a8125672de45940954135c051916fddb0f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
895163b15084d14cfa06d8835cd383b2

SHA1
028581a904726d75598f6472f7d715cf9dd73dbf

SHA256
b22ca6b3a2d2205cd47ac8d74fa619df7468553c7661da60b274b83741ac5b46

SHA512
06104c09eb8957c25d62ba8ebcbf7a50e9edbae78b6337b8c15c38735478e103b2b3aa829962c4059b3ff8739ca4941b7d0b5a69b3f74a74c0ab7d2292921214

Download Submit
memory/2960-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4400-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4456-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download