88f0b7bdee74f85c01deed17a4f1c09292aa27c2c04dd549c7bec758c6a43f19

Resubmissions

23-12-2024 05:56

241223-gngpvaxjeq 10

20-12-2024 21:25

241220-z92w1strdy 7

Analysis

max time kernel
63s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20241007-ja
resource tags

arch:x64arch:x86image:win10v2004-20241007-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
20-12-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-S23K.gz
Size

836KB
MD5

1b4d02ca1abe23f1948225d0846cf882
SHA1

becd7b6a9a665c16ef18b01772e2419e9b9bf8b9
SHA256

f6142cf78b009b118166332df150bcdbc0428bdaf2542e250af299431dd27268
SHA512

b89965b74105f7ffa6c8a2092116dadb9c6f6bb696ca34c9d4ccc7f902f92005c8803d2d9a90d74ab904119b36e5bf01c9ea157693f879001abebd23a6d23cfb
SSDEEP

24576:bMzscMk7UyOoZChSyco5AXYLIOfj3G4zTJsMmgbZX0oOA3OXxmS:bs0kyoISyco5AXYLIO7jpig1aA+XL

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	x.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5092	2448	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2088	7zFM.exe
Token: 35	2088	7zFM.exe
Token: SeSecurityPrivilege	2088	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2088	7zFM.exe
2088	7zFM.exe
2088	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2448	3540	WScript.exe	92
PID 3540 wrote to memory of 2448	3540	WScript.exe	92
PID 3540 wrote to memory of 2448	3540	WScript.exe	92

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PO-S23K.gz"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2088

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\PO_S23K.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\x.exe
  "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 464
    3⤵
    - Program crash
    PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2448 -ip 2448
1⤵
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.2MB

MD5
385a5e0136bd0aa68cde4ba38756b086

SHA1
a73948144ee59a7805f81dd6a73291ca40625ac1

SHA256
93739039ca89805f9934e13d66bf446d302447801e96ee6b9e654cff0d39e20d

SHA512
92d38b855d990c8b6e839bdfa6215039e671cac184ec75bd2653a0865b160a2d35715179e3518aa2550825ae06340641ed09d3dd685910584698dc60215f7e90

Download Submit
C:\Users\Admin\Desktop\PO_S23K.vbs

Filesize
1.6MB

MD5
9e1689409fdcb7ba5265907bc0164a98

SHA1
87388a6758b0659c56b97da2370a97721ed383ef

SHA256
988f06de5e206681e74d9a8ba01f63069eaa7043b39784cfbddbe4845723b1b4

SHA512
18d389197556b6f543b7a0d5a559763164b61a3e6c56783931dbfc0b46a5c45994e106dea948f90db089d4078a411e76d82f463d65969b2e0a7cf975814988f5

Download Submit
memory/2448-18-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download