463f81e7d9bcfa0ddd8ebca9813768f7b1139ea6d717aa60431fc14d5cb84816

Analysis

max time kernel
1756s
max time network
1169s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PSP2023Installer.exe
Size

4.3MB
MD5

1509b44649c594c1c1613a26cd817947
SHA1

07ddda9b990d6b88df29ce3a3452de59d9d2ed81
SHA256

463f81e7d9bcfa0ddd8ebca9813768f7b1139ea6d717aa60431fc14d5cb84816
SHA512

f03ac417175ceed040530d9902b883f829b5e66d66da5936ba438aaaa7289a766fc3ca90cdea83fe7856adff4905403c04f633b9ac5f6669b7340a2e353139b2
SSDEEP

98304:S1W9oX0GPVlVlVlVZ0+EvY/0+EvYmn+FLsiiLFLsii5GjG9ymytuq0hp:S1W9K0GPVlVlVlVZa2apn+JsiiLJsii5

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6F3EF61F-E832-42FD-B491-92A90B513296}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
552	PSP2023Installer.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1800	552	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4284	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 552	3904	PSP2023Installer.exe	81
PID 3904 wrote to memory of 552	3904	PSP2023Installer.exe	81
PID 3904 wrote to memory of 552	3904	PSP2023Installer.exe	81

C:\Users\Admin\AppData\Local\Temp\PSP2023Installer.exe
"C:\Users\Admin\AppData\Local\Temp\PSP2023Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\e576273\PSP2023Installer.exe
  run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\PSP2023Installer.exe"
  2⤵
  - Executes dropped EXE
  PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 2012
    3⤵
    - Program crash
    PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 552 -ip 552
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1408

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e576273\PSP2023Installer.exe

Filesize
4.3MB

MD5
1509b44649c594c1c1613a26cd817947

SHA1
07ddda9b990d6b88df29ce3a3452de59d9d2ed81

SHA256
463f81e7d9bcfa0ddd8ebca9813768f7b1139ea6d717aa60431fc14d5cb84816

SHA512
f03ac417175ceed040530d9902b883f829b5e66d66da5936ba438aaaa7289a766fc3ca90cdea83fe7856adff4905403c04f633b9ac5f6669b7340a2e353139b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e576273\PSP2023Installer.exe

Filesize
4.3MB

MD5
1509b44649c594c1c1613a26cd817947

SHA1
07ddda9b990d6b88df29ce3a3452de59d9d2ed81

SHA256
463f81e7d9bcfa0ddd8ebca9813768f7b1139ea6d717aa60431fc14d5cb84816

SHA512
f03ac417175ceed040530d9902b883f829b5e66d66da5936ba438aaaa7289a766fc3ca90cdea83fe7856adff4905403c04f633b9ac5f6669b7340a2e353139b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\Load.html

Filesize
2KB

MD5
70f699adec6afcf05b15ed7709dd6545

SHA1
1b02d1df597a92c3acdec2bdf202a5a8de82d423

SHA256
207404e89c7ecbf3ecdcda87ec2f4725b6eb5e608b5d53cda9b51d140a0fe33e

SHA512
ca11cdc9c56f94a585c0550e70d7b8a2dfa0a2d83dd41200ffb006a6b1e466cde0c6f4e7a6db51820f1b7ad153e1682eb055b66c144869d6b48c62d78a0d0938

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\common\js\common.js

Filesize
49KB

MD5
204609233c2e19764c2cedab78891cdf

SHA1
2e05c5882292e5410102c9bc8259749a2b0a6f52

SHA256
f190e4a1352c6dc72c9ee4db1f810cf047dd626d01e17ad17b20a4d5d01e62d0

SHA512
e432c25629cb4147eaf57d582c731c54c104d8b71b07496df1c396d59b9019958ad6bdc525204cb609f77b36aad2f3f4fdbacd29f4775457af30adcd01c98fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\common\js\external.js

Filesize
36B

MD5
140918feded87fe0a5563a4080071258

SHA1
9a45488c130eba3a9279393d27d4a81080d9b96a

SHA256
25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6

SHA512
56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\common\js\jquery-1.11.2.min.js

Filesize
93KB

MD5
9aecea3830b65ecad103ee84bd5fe294

SHA1
47ecdf62eb3cf45ba4867846cb61afa70369d23a

SHA256
a271a3f9e3cae897ced669d6652699e947928ef095e56384c4f9dd04bbb942ec

SHA512
754c25b5fc6a3e5d2027326c6814f229f9131396ea026a407dd16d092da6116bb0ee8971417463ba68268098dedc182b6fa10060ddda6ce063a5eca94be3c152

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\config\config.js

Filesize
6KB

MD5
5380a123b9696d2f3eb960ab438f4c29

SHA1
c5fb9389a74168ef5ce8521d9c410ba4ddca712c

SHA256
e56570f0861ef37822580795a6ae43cd092847dba70c14ede6c817d2a436f713

SHA512
4716d0523e9dd6f24dd2fe81efa1c10a8a1d4ee19825df5f55f49e73317b2e1b54d399c8e58dbd9eaceaf01d8d0c1a0ffc648b7fc109d0607564a81f03721588

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\config\installparams.js

Filesize
673B

MD5
f6d8ecd77ce36e37c297a7b01bd46905

SHA1
691b5e3e5e86ead3b272e33d4b397cfd72b9c81b

SHA256
abec78cbe4f36436e45f7d7f6a5d9bb8b2eafa3f909ef2d2e15658bf0ae037f3

SHA512
860bccba6aa002c1c4849a44397f430f1762ae1088424e3d2a672a00808ae6f6c5fa0591e87a8edffd8f77466b73c955ac1bd33cbadc26ad1a09f11825bbee21

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\config\lang.js

Filesize
81KB

MD5
897f0e07f1b8fe0948d2fce7bff7fad4

SHA1
598de052eac3aac8e3d36303ccbb9ce171e047ed

SHA256
9709ac47f8acb49d3c73e63f8f2e740cacf269415c4343342fa11c3df1eb42a1

SHA512
24aca5fb541c8a42fc90be055af904a9f1996b234789e3ca39d24c27290ce8e641b95317ae4c255d83e671ddd1a7d54c260b3b4c47215655a3ea5abca9b57a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57660d\pages\Initialization\page.html

Filesize
2KB

MD5
986f678173e2a4d50af9aaff98c77ad0

SHA1
cedfef359e9af978c36d4174fb4ded5ccdfaba5e

SHA256
f20c35db5098d4d2d2477b209e588a0c02519445ed23f55354309ce818c801e1

SHA512
48b526432503f189584a7ff25bfa6210417c0155dd83729b8e9c376e4baf0d127489d2cfea0747cc56cb3a6b7dc775642d0cf26a85b97ff71d9c7dfd8279b8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuA3B2.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
9a2741d468ba2ad8717d2e921779a9de

SHA1
a691c4cdaa992630a002182a3a1323af5c768d13

SHA256
2916d9387be1032487f242ac1d026896f127eb9c0c40b51fbea59cdede9d7bee

SHA512
8e9ec72b4e1de96ab3230284344d22043039954d065bf9dbaf72a57d35ad75f5b7994afb38629d41b99e01ab26b8ea1feb50610fc8513c0ef4b73c9bbfd5eb1b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f1ae3ed029d2d6e73924627233d346f5

SHA1
c52bc2c8ca3465971c0730bab650a11d978d68b9

SHA256
58419bd431fa06ab322c1483847973512890880b10649f09a5668d7e988c506d

SHA512
9c22569ccd40ec65e127c2616d05d0a5d98703015ae75bf516bdaed6de8a02197c948909963e1fa13e43f466278eeeddacf071791ccead652834a9b2982e2e4e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c07fb2cf46f154c743df42ce6d7866f3

SHA1
c481004a10071b3142226941de904c91949bbe24

SHA256
2983dff872c05a47453dcf21b14e063a4c568363ebdbc68337fe8fd18bacd048

SHA512
f4f5482d911d8a4ed05dbc476989a55f43393cd6f680293150ca91ae30a4bf2630bfe3c09af7dd0201b6e27cdee141d30a83e8f6a14d38eab7aa7840fd033170

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
e88bc5eb297b051a3d590113f5af58ef

SHA1
4a83ca3f918426ae58c1034f4bf202659ffbed94

SHA256
de028567da328f89877810ba013e79ee9fb2cbe754b709530cdb7c5a2056317a

SHA512
68ca4166b5778e9deee8f86308a0378e4c44d2ca74208b3a00a8217ccf926fd4e5e28e619ebfe84bb896f662ea075bd80c88a70e8b30931d4b5153725eb19ffc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f0cb377a7372deb1c822ccc9889f7597

SHA1
3a36a871e753a6db98d645fc6e9fd6d677a707e4

SHA256
798d59f473246a67d7f3817dfc259bbbf6c3f62a9ee2a254c23f51e958e88988

SHA512
b95242a94fea90ee552fa4b1775395aa0747e1c862bb737060134a73b5f39538abd0a2e0756e0bbda17e3c14f683bb9a59ed9c62a8892cb1a4250c13283ea6af

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
cd880f244b790da5ff4985fef3496147

SHA1
ab65a833da06dbef8bd6d1be03ddc128bc32d2ec

SHA256
db97d98f4f17ef141d67d793cfd28b544c16cc8c7274dfa41dc96a3c0029b3eb

SHA512
1cc96666d77a7768fdd5e06a898f6678938142d4b994b1b83c73a631e344aa578b0891f1acf0e610caf8dcff20607d4c6e7dc683d5980c0c7d61992c96677fb5

Download Submit
memory/4284-501-0x000001EF38740000-0x000001EF38750000-memory.dmp

Filesize
64KB

Download
memory/4284-517-0x000001EF38840000-0x000001EF38850000-memory.dmp

Filesize
64KB

Download
memory/4284-536-0x000001EF40B50000-0x000001EF40B51000-memory.dmp

Filesize
4KB

Download
memory/4284-538-0x000001EF40B80000-0x000001EF40B81000-memory.dmp

Filesize
4KB

Download
memory/4284-539-0x000001EF40B80000-0x000001EF40B81000-memory.dmp

Filesize
4KB

Download
memory/4284-540-0x000001EF40C90000-0x000001EF40C91000-memory.dmp

Filesize
4KB

Download