Overview

overview

10

Static

static

3

PO #17017.exe

windows7-x64

10

PO #17017.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO #17017.exe

  • Size

    1014KB

  • MD5

    64c525c7e08ca3300f95818498816e24

  • SHA1

    b13d56f2e37126bc2b7be44e8415a21d7256f2f5

  • SHA256

    e656ea7a50228a15fef30362bb30990e2a57415607307f7fedd7d1adb26b196c

  • SHA512

    94dcc738aa2102bfa8e260a6e2ea160b88877cc534de578529825df032a6a37a74476120ed682ec68147bf78bb1ef49239b46f9ee63b4d9a5c9e75d7a57ec5d5

  • SSDEEP

    24576:8NA3R5drXzJfO1M1N7Vjhhlcswuc1jZFQYcHO6lP2v5:95121M/xjVTw31jZ63wB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO #17017.exe
    "C:\Users\Admin\AppData\Local\Temp\PO #17017.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\a6370v5734\nogqxvroa.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\a6370v5734\ntrp.exe
        "C:\a6370v5734\ntrp.exe" itilx.vgu
        3⤵
        • Executes dropped EXE
        PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\a6370v5734\nogqxvroa.vbs
    Filesize

    52KB

    MD5

    979edc3c1cf8d25ab519e55c5247cbf4

    SHA1

    e8aa5eedfe506937ecd85a40b79e0fea1ad96a9e

    SHA256

    5ae91ec900c00a789f8fda7a6e00825eaba7bb6e99584f4dd9d0898d160b4b12

    SHA512

    91dddc1bc0dc6edc44a98396e9550429b9bb6abc284dc658f26ef2c3e94c378f31f06428b22c66513c3c130c70c908d9f1847aadc26061493d4e2ecd3561ffbc

    Download Submit
  • C:\a6370v5734\ntrp.exe
    Filesize

    646KB

    MD5

    a3e8113ff31e86152d4a384dab4ea102

    SHA1

    28cabe6b57d14f6dd47a880c51bc9726d017989f

    SHA256

    d06ea150b0a83b9cf2ef63fdafc9e79a23bfa004c9f42d526499329e0ab1c977

    SHA512

    f34d79e3984e819c2e86e9b75c27985f7f4d8696bd3bf18447b697e127db3f76c707369336925ae941f95053d4e83d1684356d479be2295114d654bb24efb290

    Download Submit