31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
Size

1.1MB
MD5

db17d8c37133f9f44f0302ae479f8743
SHA1

d1e69e64a6dad7a016b5854179749976786d3518
SHA256

31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405
SHA512

b071a30ce563659c5fe047223bb7c86e37d6d396089d02c0a78e5fdf318143059a02b0b820e48cd3d1b9338a4bbbb62123c9f2b785707a1ec54388c78c37d396
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QB:acallSllG4ZM7QzMi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1624	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	svchcst.exe
1624	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
2000	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2000	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3612	1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	82
PID 1972 wrote to memory of 3612	1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	82
PID 1972 wrote to memory of 1612	1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	83
PID 1972 wrote to memory of 3612	1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	82
PID 1972 wrote to memory of 1612	1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	83
PID 1972 wrote to memory of 1612	1972	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	83
PID 3612 wrote to memory of 2000	3612	WScript.exe	88
PID 3612 wrote to memory of 2000	3612	WScript.exe	88
PID 3612 wrote to memory of 2000	3612	WScript.exe	88
PID 1612 wrote to memory of 1624	1612	WScript.exe	89
PID 1612 wrote to memory of 1624	1612	WScript.exe	89
PID 1612 wrote to memory of 1624	1612	WScript.exe	89

C:\Users\Admin\AppData\Local\Temp\31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
"C:\Users\Admin\AppData\Local\Temp\31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
054a0d910af7aa37a5cd39b99a95edcc

SHA1
34f2360d2a0a6825012ca01d7c57ddaac7699e23

SHA256
8d1419af5ee9c2ab618ed186295e121c7e76867e882b2aacdf32b160878bc2ad

SHA512
e0dc7e9bbe5b670b19f518a78186bdf7d017cd5fe96a3c39a7a6173ca693a418e508c2160fd923df17b917c6a3d61d22d3083677b2fad7b737a700a6c3ea95e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
430a2ba230af576bbe9ac9719f1b0a5c

SHA1
e7331f2d6c4ced8957959c07453cc63c0092e47c

SHA256
557f073bbfe19d13a731e6bc067f6e20bdff41afc5388d229ab6cc30de81b2fe

SHA512
6cf4c1d9c5d16675390cb95202b422c646866a7f4a3feaaf588dadd7bcad9a53daa1457c63964b87875b9aa2b6fdd0f6c9f7ea2ef4ad0e088590d4270c15e0b4

Download Submit
memory/1624-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-17-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download