0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1

Analysis

max time kernel
10s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 19:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe
Size

1.1MB
MD5

dd4d7abeac4fd419ef3ebb557e7e347c
SHA1

b96eab58c7432eef3fc47f9bf603affb07cf3531
SHA256

0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1
SHA512

91afa7cf7e320e6dc7bc9ee4ea77602a641cce282133e9f7417716aa073b075adb7fb0cfdbfafc589658344c309e73eb6f67d0c78e3c8051c6b2fe378b5f9da1
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q2:acallSllG4ZM7QzMN

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1136	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
924	svchcst.exe
1136	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2900	WScript.exe
2808	WScript.exe
2808	WScript.exe
2900	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe
3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe
3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe
924	svchcst.exe
1136	svchcst.exe
924	svchcst.exe
1136	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2808	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	30
PID 3020 wrote to memory of 2808	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	30
PID 3020 wrote to memory of 2808	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	30
PID 3020 wrote to memory of 2808	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	30
PID 3020 wrote to memory of 2900	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	31
PID 3020 wrote to memory of 2900	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	31
PID 3020 wrote to memory of 2900	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	31
PID 3020 wrote to memory of 2900	3020	0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe	31
PID 2808 wrote to memory of 924	2808	WScript.exe	34
PID 2808 wrote to memory of 924	2808	WScript.exe	34
PID 2808 wrote to memory of 924	2808	WScript.exe	34
PID 2808 wrote to memory of 924	2808	WScript.exe	34
PID 2900 wrote to memory of 1136	2900	WScript.exe	33
PID 2900 wrote to memory of 1136	2900	WScript.exe	33
PID 2900 wrote to memory of 1136	2900	WScript.exe	33
PID 2900 wrote to memory of 1136	2900	WScript.exe	33

C:\Users\Admin\AppData\Local\Temp\0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe
"C:\Users\Admin\AppData\Local\Temp\0ba41cf75f7e9e52c5cacbcb66b02eb30e0608599fd8a17ed4b90f2450c470d1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
755275a749b9a856c16fa1d36bf522c5

SHA1
87889f910bb3cb768685f42585701cf651f2dd07

SHA256
9c2bba0b0f36ead55f548ea1be6c837badadeafef1178f45ab07197d6ab20468

SHA512
e8b0b8e250ad64c0b18f227b6af08ceb52c26c6e51e3d0c41eb06b97c43c5d0bb50d329eb57d0b05b93d90b4b27dc7cd0be386020c93b6d457bb8507d615ca5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c3daf02bb945bc006e0f4dcb0bd61c61

SHA1
7bb4e71b614c1f90b56e7fd9e24aa1c8526b41c7

SHA256
3b17a9ddd03cc4b2a114c8ad0538ac481b2885345e08682e55494fc90399d722

SHA512
ccc5ff5f2366cb2bd730f1c1857577e4a11ebc4c7ed779c7f5e5fa26be374976629a06947af1639b670bc716c04cad48701b7ce8da3b4886bb7afd5966d1cf97

Download Submit
memory/924-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/924-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2808-18-0x00000000054F0000-0x000000000564F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-17-0x00000000051A0000-0x00000000052FF000-memory.dmp

Filesize
1.4MB

Download
memory/3020-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download