2c7ba11d9dc2604b57a956ef360469725782e72dd65fcdd65f7a0c910f21fb18

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

psp_trial.exe
Size

22.9MB
MD5

5c9f87dd91ec54fdfcb6c8673296f236
SHA1

d1680baa5562500affb6194023f15dfb685079d6
SHA256

72a9e39b7422191eb172af3b653fe91fc3dd13abfd3397c28a403f14f39a3e4b
SHA512

e72619e399751bdd9b77acbc508b62e0b758ed47346fbc60a2f22d0572408015505cd19282a05d38a96e043e08f441a2b3a4435d434396307f23adfe2fb43492
SSDEEP

393216:kmXheZIwERRYnl5MkSHd70pNkQiO+uddaqdYdiq+cY/ESey0cobTLeI6OBhKiTLx:kmXhed4a7JSHdwxrYdir3+vcoH6pmLLt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2356	is-FRAFD.tmp

Loads dropped DLL 4 IoCs

pid	Process
2564	psp_trial.exe
2356	is-FRAFD.tmp
2356	is-FRAFD.tmp
2356	is-FRAFD.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psp_trial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-FRAFD.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	is-FRAFD.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2356	2564	psp_trial.exe	30
PID 2564 wrote to memory of 2356	2564	psp_trial.exe	30
PID 2564 wrote to memory of 2356	2564	psp_trial.exe	30
PID 2564 wrote to memory of 2356	2564	psp_trial.exe	30
PID 2564 wrote to memory of 2356	2564	psp_trial.exe	30
PID 2564 wrote to memory of 2356	2564	psp_trial.exe	30
PID 2564 wrote to memory of 2356	2564	psp_trial.exe	30

C:\Users\Admin\AppData\Local\Temp\psp_trial.exe
"C:\Users\Admin\AppData\Local\Temp\psp_trial.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\is-MG8NM.tmp\is-FRAFD.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MG8NM.tmp\is-FRAFD.tmp" /SL4 $4014E "C:\Users\Admin\AppData\Local\Temp\psp_trial.exe" 23659412 67584
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-87QC5.tmp\Tmd5.dll

Filesize
81KB

MD5
7dd0011888b8501fb6eb6ffbaa33db64

SHA1
74c308cee8a175d298c5771482d3f1df6fc9bd80

SHA256
2272ba7dc5b77922b3455e68f9eba7044111438a6a719cec114d1538b74156e4

SHA512
6b050f97b6de8c26c8b66a5c74185a52b8706a9974e5282c08918a234168ec1bdc1537af1616669101e9d80fdb505d9d2d31c9a228f3db711ab74fc8e9f804a8

Download Submit
\Users\Admin\AppData\Local\Temp\is-87QC5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MG8NM.tmp\is-FRAFD.tmp

Filesize
662KB

MD5
71f8a131b5120f472eee037c2593349a

SHA1
6c8e5b08a821a3865f17d794057a6eaad19037e9

SHA256
dda1f64f7bd6f537a7542d48fc6aac8cf5d70ba125c4a8e9dea8ff5caa75ec77

SHA512
66a1e74385922a22e2d2c9946f772ff5daa9c0ec0a41e837826cced1b2da7f6517dc12906f0953ae83e4fb59e64a89270632495c63e78d8a56ce8d5963bd5680

Download Submit
memory/2356-18-0x0000000000340000-0x000000000035D000-memory.dmp

Filesize
116KB

Download
memory/2356-24-0x0000000000340000-0x000000000035D000-memory.dmp

Filesize
116KB

Download
memory/2356-23-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2564-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2564-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2564-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download