20227224e2f655123f1fac78b075fd9b411b60bd1092aecf998dd05c4fb8b868

General

Target

Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr
Size

715KB
MD5

87ef7a916c6fa5f38318eea94ca00425
SHA1

6543412b7492cd9b5cad328d2f8fbd346e18e52f
SHA256

81d75d4d1dbd3efb6ef4b293968359b8fa4d2e994efa15e16fd368dc73f6d5f7
SHA512

89e721bd2c0345001e2a3ba8cb4aeeec230bcd1fb239ce449f54fc619dfbd12c828cd46ccc141ffeb59a75a4ae187f5d2c87b83d0e513fdfde71e2a5394bc094
SSDEEP

12288:RR4ZJht5WuZL5U60qzXp6syn8QgDEF7Gn2nO24twwb8Rb+lPXCswf4hNuV0Z:PWlv+nngoF7m2nOH2wb8qCsSyNueZ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1504	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr

Loads dropped DLL 4 IoCs

pid	Process
2264	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr
2264	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr
2264	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr
2264	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Blankaalen35.sub	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4232	1504	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1504	2264	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr	84
PID 2264 wrote to memory of 1504	2264	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr	84
PID 2264 wrote to memory of 1504	2264	Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr	84

C:\Users\Admin\AppData\Local\Temp\Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr
"C:\Users\Admin\AppData\Local\Temp\Docs_27109265_20242908_SHT0178727_MALAYSIA-8135621.scr" /S
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden ; $Fldebollens=Get-Content 'C:\Users\Admin\AppData\Roaming\overrisledes\Antivenins\rie\Tildmte.Amm';$Steddatterens=$Fldebollens.SubString(6849,3);.$Steddatterens($Fldebollens)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 2604
    3⤵
    - Program crash
    PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 1504
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yb2se43n.ow3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FA5.tmp\Banner.dll

Filesize
4KB

MD5
e4de3a9ebc9544acac3086b523bc0eb5

SHA1
77d233b728fa85261cec658902bcda37841475fe

SHA256
da12306600cd7a9e05ed905639f642b21c2cf8b5b9c6983e4146731e20bea7fe

SHA512
b1c0ac9e97e990d77479ff2fc3f9f37f4a4a575c6b90a602f075a3b98886b6575bf4aaf63e7c9bb03b8d1dfa4b9b90f75ed1c818700e0e6c873b7aa93c35c7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FA5.tmp\BgImage.dll

Filesize
7KB

MD5
fc8c3be4dae47b4455c51dd211bd4c8c

SHA1
8d4c35b48d38514c39a1d70a2e8b686268dbdbf1

SHA256
3aebbbfc55112d4ed18a2335a801a0ad95ad8431ebb65b51ed4184ec671e4f16

SHA512
11336e2a92044be6c0b87dacf93aca7077fb412996417dc9f263802e1bb47eb457430f1c2d5763cdbf918a043dce5dbd0b75675a14518ce07235ca6f8619ddee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5FA5.tmp\nsDialogs.dll

Filesize
9KB

MD5
300f88dca54ad92f644fda1a45fcfd80

SHA1
0434032f7710071a427969d44e46ea764101bd09

SHA256
9ba14f57d823cce242936e29a36034945f1739f00468712acb641e2e2eb914d9

SHA512
99846533c77a6047a7626f5dc81064eae2193072858df968e7ff0d9b2462cbd16d6c7791f5f43cb9f539614dfe62127c08405b7f40b41830075d7a019c81a62d

Download Submit
C:\Users\Admin\AppData\Roaming\overrisledes\Antivenins\rie\Tildmte.Amm

Filesize
55KB

MD5
d9a4f97656732d5f6579fc4d7eb91b92

SHA1
3ca1d3f0f53b66ef7320dc87dd2b524e9f5918cf

SHA256
3cf34aa72a02735612df0d9427c67e1b408b79c8677dc5c5f21bcc3a12723f9c

SHA512
f92e07902e2e6ad290d57444b7f05322a58b85a45f461fcf1a3e938b05327c399e051181a857f517f3e2774e53de02e99b9a2e3ea470530c4292c3a8a7fe29e9

Download Submit
memory/1504-38-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/1504-50-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/1504-35-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/1504-36-0x0000000005750000-0x0000000005772000-memory.dmp

Filesize
136KB

Download
memory/1504-37-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/1504-34-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/1504-32-0x0000000003110000-0x0000000003146000-memory.dmp

Filesize
216KB

Download
memory/1504-48-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/1504-49-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/1504-33-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/1504-51-0x00000000076F0000-0x0000000007786000-memory.dmp

Filesize
600KB

Download
memory/1504-52-0x0000000006C50000-0x0000000006C6A000-memory.dmp

Filesize
104KB

Download
memory/1504-53-0x0000000006C70000-0x0000000006C92000-memory.dmp

Filesize
136KB

Download
memory/1504-54-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/1504-31-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/1504-56-0x0000000008970000-0x0000000008FEA000-memory.dmp

Filesize
6.5MB

Download
memory/1504-57-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing