3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
Size

1.1MB
MD5

3c1e181904e9ae6b262cb3c54f392ef0
SHA1

feb78b490f382bee7614c46bccd1b624b4cf99d0
SHA256

3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6
SHA512

f7513226b317043db2bda09c366c7e4b66c9a2a827f8b95be9df0de6bbf9e3fe562e341c7176154dae1036fdc02274eb0dfff26738669ce836951477ff63d7d2
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzML

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1724	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1724	svchcst.exe
4924	svchcst.exe
1348	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
1724	svchcst.exe
1724	svchcst.exe
1348	svchcst.exe
1348	svchcst.exe
4924	svchcst.exe
4924	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2072	4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe	84
PID 4476 wrote to memory of 2072	4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe	84
PID 4476 wrote to memory of 2072	4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe	84
PID 4476 wrote to memory of 3436	4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe	85
PID 4476 wrote to memory of 3436	4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe	85
PID 4476 wrote to memory of 3436	4476	3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe	85
PID 3436 wrote to memory of 1724	3436	WScript.exe	87
PID 3436 wrote to memory of 1724	3436	WScript.exe	87
PID 3436 wrote to memory of 1724	3436	WScript.exe	87
PID 1724 wrote to memory of 3000	1724	svchcst.exe	88
PID 1724 wrote to memory of 3000	1724	svchcst.exe	88
PID 1724 wrote to memory of 3000	1724	svchcst.exe	88
PID 1724 wrote to memory of 5108	1724	svchcst.exe	89
PID 1724 wrote to memory of 5108	1724	svchcst.exe	89
PID 1724 wrote to memory of 5108	1724	svchcst.exe	89
PID 5108 wrote to memory of 4924	5108	WScript.exe	93
PID 5108 wrote to memory of 4924	5108	WScript.exe	93
PID 5108 wrote to memory of 4924	5108	WScript.exe	93
PID 3000 wrote to memory of 1348	3000	WScript.exe	94
PID 3000 wrote to memory of 1348	3000	WScript.exe	94
PID 3000 wrote to memory of 1348	3000	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe
"C:\Users\Admin\AppData\Local\Temp\3ab6279d6730ce25ad71cc0b9d06c74d6221eaf91895fa58da2442bbc7c2bea6N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1348
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
754B

MD5
74091125b94eb1f4994bdadc87773267

SHA1
4529b88cb8ee1ae261db99b63a739c78a0f34af6

SHA256
c268c31f77fe04f0343292cd906127ea0eb049a7cd686554424111e158672b38

SHA512
17adf4a8a4037cbc09392a1209987425404bb2ec96b7683c180d43c56b67f438f3e8d3076eae8b1c6caaba9f35868fe566eb92ba4cc552a3e31158dcfc82a1e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c5bf4b350a99b94adb8ae9565937244e

SHA1
f6dbd8ace2f49e0f4ba7fabbf893b8be0097ef67

SHA256
97629b0c22e877126d465da288f3b4c587d155d1a9e43d75a834b1f640a740e4

SHA512
e73c6195d625af2149696b7eb42c3522ba71b297d393849b8448b80b89eac159db5fa1b6ee057c1cc1a7c06bf481e5321ff9c90190cb764f336c8f08c3f9cb58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1981241cdff1ea28715f62da2a9aeedb

SHA1
a008f1978b1743c772554106f8dc148501e36373

SHA256
3d3f87266cd5ccd7a479608725f186451416aa8f9d3d0887e9a9f8b4ca8cf18b

SHA512
439f54414ff37972a9e4a4b55afade0e2770f0f98826f9780b33590aae1e905ec196119aea4acf64e21752ea498238d9f8245ffa5f75584e29915ae4b68cef0f

Download Submit
memory/1348-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1724-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4476-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4476-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4924-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download