ba30ea16cd8fbd9209d40ae193206ad00f042d100524cf310982c33369325ca2

max time kernel
120s
max time network
122s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-11-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

psr.exe
Size

13.4MB
MD5

33c9518c086d0cca4a636bc86728485e
SHA1

2420ad25e243ab8905b49f60fe7fb96590661f50
SHA256

ba30ea16cd8fbd9209d40ae193206ad00f042d100524cf310982c33369325ca2
SHA512

6c2c470607b88e7cd79411b7a645b395cee3306a23e6ba50b8ac57f7d5529a1b350c34e19da69aeb1ffade44d5187b4a1ef209a53d21a83e9e35add10fc7867d
SSDEEP

49152:W/XzWTJmbjeHLKLpyNpaQ+69tPvGUmskDXs4Awd9CBqcUiInvlT2hPnXiwzYJ33S:W/EmGrKL2pllzP+UNkEARmzY1C

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	psr.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	psr.exe
File opened (read-only)	\??\L:	psr.exe
File opened (read-only)	\??\M:	psr.exe
File opened (read-only)	\??\Q:	psr.exe
File opened (read-only)	\??\V:	psr.exe
File opened (read-only)	\??\W:	psr.exe
File opened (read-only)	\??\A:	psr.exe
File opened (read-only)	\??\B:	psr.exe
File opened (read-only)	\??\E:	psr.exe
File opened (read-only)	\??\G:	psr.exe
File opened (read-only)	\??\P:	psr.exe
File opened (read-only)	\??\R:	psr.exe
File opened (read-only)	\??\Z:	psr.exe
File opened (read-only)	\??\J:	psr.exe
File opened (read-only)	\??\N:	psr.exe
File opened (read-only)	\??\O:	psr.exe
File opened (read-only)	\??\S:	psr.exe
File opened (read-only)	\??\Y:	psr.exe
File opened (read-only)	\??\H:	psr.exe
File opened (read-only)	\??\I:	psr.exe
File opened (read-only)	\??\T:	psr.exe
File opened (read-only)	\??\U:	psr.exe
File opened (read-only)	\??\X:	psr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	852	psr.exe
Token: SeCreatePagefilePrivilege	852	psr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 3180	852	psr.exe	88
PID 852 wrote to memory of 3180	852	psr.exe	88
PID 852 wrote to memory of 3180	852	psr.exe	88

C:\Users\Admin\AppData\Local\Temp\psr.exe
"C:\Users\Admin\AppData\Local\Temp\psr.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\psr.exe
  "C:\Users\Admin\AppData\Local\Temp\psr.exe" -cv Coy9MniknkK5Ys72.0 -enableservices
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
531f0916779b7b1881daeae9fd7c3019

SHA1
195a31d65038f74f36647e4b750d10f8d96e544f

SHA256
ea6732eb153209c5a2c1f775c945557116e8b04401b7d1cbfe37ec903b3e5bfd

SHA512
93b3ef8005de5b74e3a1e0b56c050cb2db0fd515cc0ee8354c076b6b6bbeccd5287b1ee6504cc5f28927c78600f9caa0111f1211515fd03e494a8f903df69f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogoAnimation.gif

Filesize
327KB

MD5
93bd7bf04d77912d98aaed6decad1b8e

SHA1
885cd97fe084cc15c339aa9131dbaa98bdec38fe

SHA256
a90c6244e2202b30a83db9eff60c06ba73c27307c357358f76679477782453c5

SHA512
6d5c070459af13f9564514f975b0ed623518a9277d4bf359be8035dd3e15e81356017baa944042af9b8c61c78b659192aff624a262f41cffe2c282b67afe2eb4

Download Submit
memory/852-32-0x00000000172D0000-0x00000000172F2000-memory.dmp

Filesize
136KB

Download
memory/852-2-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/852-5-0x0000000006380000-0x000000000638A000-memory.dmp

Filesize
40KB

Download
memory/852-6-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/852-16-0x000000000C600000-0x000000000C638000-memory.dmp

Filesize
224KB

Download
memory/852-17-0x000000000C390000-0x000000000C39E000-memory.dmp

Filesize
56KB

Download
memory/852-3-0x00000000063A0000-0x00000000063C6000-memory.dmp

Filesize
152KB

Download
memory/852-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/852-33-0x0000000016F70000-0x0000000016F78000-memory.dmp

Filesize
32KB

Download
memory/852-4-0x0000000006370000-0x0000000006378000-memory.dmp

Filesize
32KB

Download
memory/852-1-0x0000000000970000-0x00000000016DA000-memory.dmp

Filesize
13.4MB

Download
memory/852-48-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/852-49-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/852-50-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/852-56-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/852-55-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3180-54-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3180-52-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download
memory/3180-51-0x00000000745D0000-0x0000000074D81000-memory.dmp

Filesize
7.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads