f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe
Size

1.1MB
MD5

a4cec27912aac67af14fb61ced6d6d8e
SHA1

9482a3c24e13717665a4ba499141f3ccba6ce5f0
SHA256

f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6
SHA512

05abeb07cc1dee64c3968b33f5a4d9ee06c80ae5bd4fe379204e772fa69d75077e87f5b4b73bc083e03322ab552b04b9bf7947ea0d6ec53cfecf109a90fa1454
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyR6:g5ApamAUAQ/lG4lBmFAvZ6

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe
4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe
4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe
4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe
4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 920	4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe	86
PID 4484 wrote to memory of 920	4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe	86
PID 4484 wrote to memory of 920	4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe	86
PID 4484 wrote to memory of 1668	4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe	87
PID 4484 wrote to memory of 1668	4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe	87
PID 4484 wrote to memory of 1668	4484	f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe	87

C:\Users\Admin\AppData\Local\Temp\f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe
"C:\Users\Admin\AppData\Local\Temp\f06dda13027b3ccb88014e2877458e5e827438ed3208b9932ff522309c8b96e6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
dfb6b6787481985cea95d8ec29ca643b

SHA1
e3a117acfe9b1c6b2a18b00bf92f176e29ff6583

SHA256
ffc798d07e9ed8a65a237a32ac9c534ecf7ae28116dccaf8647a08a34ffb95b5

SHA512
33466db239592a6fe927c93f1d9f804d31d4697abb272fd38fbe237833c1dcbedec7d4110e335f6fd4c3e660d5042858100692c31e83a1407c1e783274877dad

Download Submit
memory/4484-10-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download