3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
Size

1.1MB
MD5

58808fabead141c979dee46ce4bf5a13
SHA1

2f60cc3587770738314b00335cca868533d5dab0
SHA256

3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba
SHA512

b3a756434d5dcd55e4231947c746cb7948324953614847e40f9a98bd612207588d1e1659395a46c9dc6a89f379a5f520441b73870ec5bca458767b5b6bd0fb18
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QE:CcaClSFlG4ZM7QzMD

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3156	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3156	svchcst.exe
4044	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
3156	svchcst.exe
4044	svchcst.exe
3156	svchcst.exe
4044	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3708	1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	82
PID 1948 wrote to memory of 3708	1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	82
PID 1948 wrote to memory of 5080	1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	83
PID 1948 wrote to memory of 3708	1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	82
PID 1948 wrote to memory of 5080	1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	83
PID 1948 wrote to memory of 5080	1948	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	83
PID 5080 wrote to memory of 3156	5080	WScript.exe	85
PID 5080 wrote to memory of 3156	5080	WScript.exe	85
PID 5080 wrote to memory of 3156	5080	WScript.exe	85
PID 3708 wrote to memory of 4044	3708	WScript.exe	86
PID 3708 wrote to memory of 4044	3708	WScript.exe	86
PID 3708 wrote to memory of 4044	3708	WScript.exe	86

C:\Users\Admin\AppData\Local\Temp\3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
"C:\Users\Admin\AppData\Local\Temp\3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ac172ee8128c5fe9cee1122a6970af92

SHA1
14c00b0db4a6dd9abafcb8a57d223243f30e9c18

SHA256
2a55567922d74850baea071560b044741f9ae557cc57cbbc1db3a01ccbe53c25

SHA512
21aadbbbd08a492d56947c9a830f3071b4f3a3045021562872202bd593374535308a9b440b99a08ce0a3235dcfd193a2d52c4458cbfc069aa0974c69f8fa2948

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
caa622934a7a170213fb80cfe46832df

SHA1
ca4652132681ac7e4ed44432e6138c1743aa5ddf

SHA256
677c52610473f6355fc240b2fec8b0a11afa912bbaaded2645f4500294dd353d

SHA512
f9665425abdff7be411ad49099efda1f5e9725c2f219c2c76bc4ffc95808c0c8176f642a3046f8d17e59524918daf6e01a89c4642d26c6aa06124f6beb181e2e

Download Submit
memory/1948-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download