Resubmissions
02-12-2024 01:29
241202-bwgrxsslev 601-12-2024 01:16
241201-bm536a1rbv 701-12-2024 01:06
241201-bf6q4swlcn 630-11-2024 23:55
241130-3yyxrstqbq 630-11-2024 23:55
241130-3ypn4azjfv 630-11-2024 23:35
241130-3lf67atmal 630-11-2024 22:13
241130-15bppsxjhx 727-11-2024 20:24
241127-y6snhaynhv 726-11-2024 17:03
241126-vkvzyswqdk 7Analysis
-
max time kernel
254s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
psr.exe
Resource
win7-20241023-en
windows7-x64
8 signatures
1200 seconds
General
-
Target
psr.exe
-
Size
13.4MB
-
MD5
33c9518c086d0cca4a636bc86728485e
-
SHA1
2420ad25e243ab8905b49f60fe7fb96590661f50
-
SHA256
ba30ea16cd8fbd9209d40ae193206ad00f042d100524cf310982c33369325ca2
-
SHA512
6c2c470607b88e7cd79411b7a645b395cee3306a23e6ba50b8ac57f7d5529a1b350c34e19da69aeb1ffade44d5187b4a1ef209a53d21a83e9e35add10fc7867d
-
SSDEEP
49152:W/XzWTJmbjeHLKLpyNpaQ+69tPvGUmskDXs4Awd9CBqcUiInvlT2hPnXiwzYJ33S:W/EmGrKL2pllzP+UNkEARmzY1C
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: psr.exe File opened (read-only) \??\V: psr.exe File opened (read-only) \??\P: psr.exe File opened (read-only) \??\S: psr.exe File opened (read-only) \??\I: psr.exe File opened (read-only) \??\O: psr.exe File opened (read-only) \??\J: psr.exe File opened (read-only) \??\H: psr.exe File opened (read-only) \??\B: psr.exe File opened (read-only) \??\J: psr.exe File opened (read-only) \??\G: psr.exe File opened (read-only) \??\H: psr.exe File opened (read-only) \??\N: psr.exe File opened (read-only) \??\E: psr.exe File opened (read-only) \??\U: psr.exe File opened (read-only) \??\M: psr.exe File opened (read-only) \??\Q: psr.exe File opened (read-only) \??\V: psr.exe File opened (read-only) \??\O: psr.exe File opened (read-only) \??\H: psr.exe File opened (read-only) \??\P: psr.exe File opened (read-only) \??\W: psr.exe File opened (read-only) \??\X: psr.exe File opened (read-only) \??\Y: psr.exe File opened (read-only) \??\A: psr.exe File opened (read-only) \??\J: psr.exe File opened (read-only) \??\U: psr.exe File opened (read-only) \??\E: psr.exe File opened (read-only) \??\I: psr.exe File opened (read-only) \??\P: psr.exe File opened (read-only) \??\Q: psr.exe File opened (read-only) \??\S: psr.exe File opened (read-only) \??\B: psr.exe File opened (read-only) \??\X: psr.exe File opened (read-only) \??\M: psr.exe File opened (read-only) \??\R: psr.exe File opened (read-only) \??\T: psr.exe File opened (read-only) \??\X: psr.exe File opened (read-only) \??\Z: psr.exe File opened (read-only) \??\V: psr.exe File opened (read-only) \??\L: psr.exe File opened (read-only) \??\E: psr.exe File opened (read-only) \??\L: psr.exe File opened (read-only) \??\R: psr.exe File opened (read-only) \??\B: psr.exe File opened (read-only) \??\K: psr.exe File opened (read-only) \??\S: psr.exe File opened (read-only) \??\U: psr.exe File opened (read-only) \??\W: psr.exe File opened (read-only) \??\Z: psr.exe File opened (read-only) \??\A: psr.exe File opened (read-only) \??\N: psr.exe File opened (read-only) \??\Z: psr.exe File opened (read-only) \??\W: psr.exe File opened (read-only) \??\T: psr.exe File opened (read-only) \??\Y: psr.exe File opened (read-only) \??\R: psr.exe File opened (read-only) \??\T: psr.exe File opened (read-only) \??\A: psr.exe File opened (read-only) \??\K: psr.exe File opened (read-only) \??\L: psr.exe File opened (read-only) \??\I: psr.exe File opened (read-only) \??\M: psr.exe File opened (read-only) \??\K: psr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language psr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language psr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language psr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2996 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2844 psr.exe Token: SeDebugPrivilege 2996 taskmgr.exe Token: SeDebugPrivilege 920 psr.exe Token: SeDebugPrivilege 2296 psr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\psr.exe"C:\Users\Admin\AppData\Local\Temp\psr.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2996
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\psr.exe"C:\Users\Admin\AppData\Local\Temp\psr.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:920
-
C:\Users\Admin\AppData\Local\Temp\psr.exe"C:\Users\Admin\AppData\Local\Temp\psr.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD503c4d2526cd04308667731279ec02bba
SHA13ad6278a913994ec1406f6fb323e464d94055d4e
SHA256c75db2912c3f774b2d123ab848cfee7dba8a4e47ec2f40ce9b2ca38dfe16277d
SHA51202d76fb818f761dc0924f046f1b2086f978a1e156abddc5afaaa4452df0841d78f8d02e77f26bec3763369e770f9da5625be1c4c3876dc57285bc792b06bedd0
-
Filesize
1.0MB
MD5c2e4ed743b924bc47759727eacdf33bb
SHA10a72b801344cf552ea2d82e76d44ca6e9e84e1a1
SHA256a0bdb0a8379880066a4b6ef8e0a45d3966664df5fec4b4133a9b5f4f910e025f
SHA51285cd2047c30ab6ba215fc584867e9a0bc93b622e5832d53ba104c8ad6fedc8a74b38134a10b72a4521448b17290c7db81ec6978a3da6d610f5d3d727c8f81480
-
Filesize
327KB
MD593bd7bf04d77912d98aaed6decad1b8e
SHA1885cd97fe084cc15c339aa9131dbaa98bdec38fe
SHA256a90c6244e2202b30a83db9eff60c06ba73c27307c357358f76679477782453c5
SHA5126d5c070459af13f9564514f975b0ed623518a9277d4bf359be8035dd3e15e81356017baa944042af9b8c61c78b659192aff624a262f41cffe2c282b67afe2eb4
