Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 20:29
Static task
static1
Behavioral task
behavioral1
Sample
PO #17017.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PO #17017.exe
Resource
win10v2004-20240508-en
General
-
Target
PO #17017.exe
-
Size
1014KB
-
MD5
64c525c7e08ca3300f95818498816e24
-
SHA1
b13d56f2e37126bc2b7be44e8415a21d7256f2f5
-
SHA256
e656ea7a50228a15fef30362bb30990e2a57415607307f7fedd7d1adb26b196c
-
SHA512
94dcc738aa2102bfa8e260a6e2ea160b88877cc534de578529825df032a6a37a74476120ed682ec68147bf78bb1ef49239b46f9ee63b4d9a5c9e75d7a57ec5d5
-
SSDEEP
24576:8NA3R5drXzJfO1M1N7Vjhhlcswuc1jZFQYcHO6lP2v5:95121M/xjVTw31jZ63wB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO #17017.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation PO #17017.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
ntrp.exepid process 4728 ntrp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
PO #17017.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings PO #17017.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
PO #17017.exeWScript.exedescription pid process target process PID 1612 wrote to memory of 1688 1612 PO #17017.exe WScript.exe PID 1612 wrote to memory of 1688 1612 PO #17017.exe WScript.exe PID 1612 wrote to memory of 1688 1612 PO #17017.exe WScript.exe PID 1688 wrote to memory of 4728 1688 WScript.exe ntrp.exe PID 1688 wrote to memory of 4728 1688 WScript.exe ntrp.exe PID 1688 wrote to memory of 4728 1688 WScript.exe ntrp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO #17017.exe"C:\Users\Admin\AppData\Local\Temp\PO #17017.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\a6370v5734\nogqxvroa.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\a6370v5734\ntrp.exe"C:\a6370v5734\ntrp.exe" itilx.vgu3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\a6370v5734\nogqxvroa.vbsFilesize
52KB
MD5979edc3c1cf8d25ab519e55c5247cbf4
SHA1e8aa5eedfe506937ecd85a40b79e0fea1ad96a9e
SHA2565ae91ec900c00a789f8fda7a6e00825eaba7bb6e99584f4dd9d0898d160b4b12
SHA51291dddc1bc0dc6edc44a98396e9550429b9bb6abc284dc658f26ef2c3e94c378f31f06428b22c66513c3c130c70c908d9f1847aadc26061493d4e2ecd3561ffbc
-
C:\a6370v5734\ntrp.exeFilesize
646KB
MD5a3e8113ff31e86152d4a384dab4ea102
SHA128cabe6b57d14f6dd47a880c51bc9726d017989f
SHA256d06ea150b0a83b9cf2ef63fdafc9e79a23bfa004c9f42d526499329e0ab1c977
SHA512f34d79e3984e819c2e86e9b75c27985f7f4d8696bd3bf18447b697e127db3f76c707369336925ae941f95053d4e83d1684356d479be2295114d654bb24efb290