Analysis
-
max time kernel
109s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 11:01
Behavioral task
behavioral1
Sample
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe
Resource
win10v2004-20241007-en
General
-
Target
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe
-
Size
558KB
-
MD5
7b401ce98de7fc8a35db7082daf129e0
-
SHA1
3d76246c44151ab0b44c05e45efdcd9b73678966
-
SHA256
227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2a
-
SHA512
bac3099833dcd8d2a044036136aefcf2cab3700736bd176f59356fc5ff1c214ff01b2156d4740885b09c5d676c5418ae75a789f672cbf47b9dbfb18682827bdc
-
SSDEEP
12288:/1+vKnoA0cdoIl9jmDBJ4Uh2DEq/51r575VPFlY5n9Vo:9+vg0HU9EP4UheEq/B7XcA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
resource yara_rule behavioral2/memory/4768-0-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral2/files/0x000b000000023b6f-11.dat upx behavioral2/memory/4768-17-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral2/memory/4768-20-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral2/memory/4768-23-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral2/memory/4768-27-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral2/memory/4768-30-0x0000000000400000-0x0000000000551000-memory.dmp upx behavioral2/memory/4768-33-0x0000000000400000-0x0000000000551000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4768 wrote to memory of 2348 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 86 PID 4768 wrote to memory of 2348 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 86 PID 4768 wrote to memory of 2348 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 86 PID 4768 wrote to memory of 1708 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 87 PID 4768 wrote to memory of 1708 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 87 PID 4768 wrote to memory of 1708 4768 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD584f8f4fb96538c8eb808e2488a64871b
SHA1533d741ba3f31b62b83a91baac5c75914e4a37af
SHA2560636c5bb460f3c6d7c58656ea9805560cd2bd78c08b6b26a3a7aa13b43c22a3e
SHA512e1f2b1ce21ca5755e9c353722ecb8190d51c951c46bd0929fd0a775280043dd51de2c6d0d50546ee777f68c23ceebecbf52ea60a152fda437547cdee5fe860e0
-
Filesize
754B
MD5c27bd09014639717f357e760798f2a31
SHA177ae1018eb892017944a30b372334ea7cb440c65
SHA256072267782bb86bc6c9a08b8e621ef78c660ccd3a721d1a34982904d7a7e7286b
SHA512d22945e746467e08391011a9aa404186d701326239dd77688457a690c0db23c5de219876773db5220ad0c45dbd4380e72f977445d1ef27b675f09ed849d7e720
-
Filesize
558KB
MD542b600ea78e0be80600584cb81f68896
SHA1ec14dc3927f84df3e9eeae0828df483c19000c9e
SHA2566aafb75bafbf8a9aa0ba9a67308ef5c817ec814fdf564cf87de304c6faba6fd2
SHA5127caed924ce74a800802c6aca73f3438637a49c7628300cf9304728f9275aa38c828cf0260276ffee02721948c442456a5ba429ecc7bfce5d6649e390bd6beefb