0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
Size

1.1MB
MD5

72ea84f57ec7914cd5e8beb478531a82
SHA1

22323c68baeb3ca22749b128db512544ad6225b2
SHA256

0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859
SHA512

85c0fe92f917fc4cba6a3b54a7086c3a7e91dd404f7a72c8c99914d1168b8726fee1328cf3d3338e61a9ac3456a26f0b377704a791d3cb300b4b31cef2d99cda
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qw:acallSllG4ZM7QzMH

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4716	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
4716	svchcst.exe
2840	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe
4716	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
4716	svchcst.exe
4716	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 5020	2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	90
PID 2980 wrote to memory of 5020	2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	90
PID 2980 wrote to memory of 5020	2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	90
PID 2980 wrote to memory of 1964	2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	89
PID 2980 wrote to memory of 1964	2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	89
PID 2980 wrote to memory of 1964	2980	0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe	89
PID 1964 wrote to memory of 4716	1964	WScript.exe	97
PID 1964 wrote to memory of 4716	1964	WScript.exe	97
PID 1964 wrote to memory of 4716	1964	WScript.exe	97
PID 5020 wrote to memory of 2840	5020	WScript.exe	96
PID 5020 wrote to memory of 2840	5020	WScript.exe	96
PID 5020 wrote to memory of 2840	5020	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe
"C:\Users\Admin\AppData\Local\Temp\0de413544e6266ed32ef894ffb8c44d00dd8bcbfcd5dd709295b9ad38e50b859.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4656,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:8
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0ce00f58ef7f6b009954ac378a7fb186

SHA1
cdcbe883346eb9cd41d8b9d0fdbaa7cc74845c10

SHA256
d7a0498731186cf8fada61d2a9dec77568308b71bbe0c4ca32f09aa55d4bd735

SHA512
60f9fa2c07480165fe92104f91e3bb3216bfa283adaff5d5fe944a3d3eb07f84d1645cd93fd4df89cc84285bbd0b53a7af5872fbb23925af899e57d8e47cfef3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3d8470bcdd979b4cae80bf0e91f29d19

SHA1
693eab0b02bea717f35b51edb31b7072b9341aa1

SHA256
37cf1061a8de56bd52f880b9437e0f351d26c7c089cff382923526cbab0a0bd6

SHA512
cb7b3d1621eea49efe5d4ffd900cf488279b91f252450ecda15e09fd201708d95dea8f8ca8a09a11534d46e12ea7ce709efab55a248984f7827eed9f0da6cdea

Download Submit
memory/2840-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2980-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2980-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4716-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download