b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cb

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
Size

1.1MB
MD5

a13dddc4bb10999f4c58655bae0231a0
SHA1

7442277c055a1fe591417bbfdb4f9f3e2d99cc83
SHA256

b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cb
SHA512

b26e033a73a6c157bf97c32b016e95b05310104165f7cbb61b54346165aea71b32af6372fbc2c5c357871872e12e4f46df1b92398e45155d3c2f63b7b92831cf
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qx:acallSllG4ZM7QzMC

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4496	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3808	svchcst.exe
4496	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
3808	svchcst.exe
4496	svchcst.exe
4496	svchcst.exe
3808	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1824	2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	84
PID 2960 wrote to memory of 2880	2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	83
PID 2960 wrote to memory of 1824	2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	84
PID 2960 wrote to memory of 2880	2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	83
PID 2960 wrote to memory of 1824	2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	84
PID 2960 wrote to memory of 2880	2960	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	83
PID 2880 wrote to memory of 3808	2880	WScript.exe	89
PID 2880 wrote to memory of 3808	2880	WScript.exe	89
PID 2880 wrote to memory of 3808	2880	WScript.exe	89
PID 1824 wrote to memory of 4496	1824	WScript.exe	90
PID 1824 wrote to memory of 4496	1824	WScript.exe	90
PID 1824 wrote to memory of 4496	1824	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
"C:\Users\Admin\AppData\Local\Temp\b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
754B

MD5
0d5000662cfa09b5d1743d1e9ff7413a

SHA1
36dbc3997695442e1956fb5e90d83bd44149210c

SHA256
d371bd847a67f56c2117b3fc3bfb4372150242466d34fb146ac5ddcacf59e6d4

SHA512
6bc59fe2cbb88c12e1c581a3163efa0fe48b391829b5480517ff57aadfea6f6f4b7a40ecc9f5a68fe43cde9a1c72aabe84585f4b8fd055662c0ad517d3c6e029

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d3f268b9c86e0ce2904fce89e015c287

SHA1
0e95c56c00286658a1c1bed0e102146791cd86b0

SHA256
d4bdca82d1acdf7fade1ddcdfa412d1e41ed3d4a24c32d201b4fa11bdb3d32f3

SHA512
82cca8d93a49bf4a3921beb4e11e9bd8dceaa21efd7709a55ab2b776c31a01eaa9f6b281cd0d1b133e0273179cd93b5fa354bec44c7e7550547188438265ef4f

Download Submit
memory/2960-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3808-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4496-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download