c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2

Analysis

max time kernel
95s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
Size

1.1MB
MD5

0e6b9be67bbf3f4ec1efe2fd8b5ab1d0
SHA1

5f08f01b54e6eb2d16ea07403535410e50bdfdd0
SHA256

c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2
SHA512

d1254b9d9788d3318de2417362f9c0356260e2eb442b248d44aed20f5d2ca67113025ca10b6bedd3cfdc1fd6ef2ab92eae7afed61efa59a02f20e2731d606066
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qj:CcaClSFlG4ZM7QzMk

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3000	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	svchcst.exe
4108	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
3000	svchcst.exe
3000	svchcst.exe
4108	svchcst.exe
4108	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1428	1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	82
PID 1336 wrote to memory of 1428	1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	82
PID 1336 wrote to memory of 1428	1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	82
PID 1336 wrote to memory of 4272	1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	83
PID 1336 wrote to memory of 4272	1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	83
PID 1336 wrote to memory of 4272	1336	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	83
PID 4272 wrote to memory of 3000	4272	WScript.exe	86
PID 4272 wrote to memory of 3000	4272	WScript.exe	86
PID 4272 wrote to memory of 3000	4272	WScript.exe	86
PID 1428 wrote to memory of 4108	1428	WScript.exe	85
PID 1428 wrote to memory of 4108	1428	WScript.exe	85
PID 1428 wrote to memory of 4108	1428	WScript.exe	85

C:\Users\Admin\AppData\Local\Temp\c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
"C:\Users\Admin\AppData\Local\Temp\c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0369ec141b8143a593080775a0495ecd

SHA1
09a10d7e06cba3ecb1fe70a05cca778af2b3d824

SHA256
06671cc64c1bbea272d55102bd1b4c503f752ae34909cc277f9e779cf4fda64a

SHA512
224ae4a4a5be473fcd7c91b5497cd8975cf9f48d0cb2ddca2e0fd356826530c1b4e25b9864407e489688482146b6c21211f7a11cd4d8d4dc47b02e3f7dae08b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9161a7bd58292a9be9cde369cb7cc2b0

SHA1
7289f8e63a54de18984219b9ddce29400e6083fb

SHA256
3b9d118c2c03aec8d8160fa84bf0d3311749e38a99281abaf05d30589059f259

SHA512
5eb01dd9b279b39607d10e994c1f77e36836df6c991d17fd5bfdb253736725638dfabe45352f50468d371bc9ed99676978f05fae83c42a1fc8005889f9da4747

Download Submit
memory/1336-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download