7dd272af0224452794da59ff2662db3cd1acafc9d0ed39c299aebd1e832dfc8f

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7f516b14fc134392b625790c2ec7547.exe
Size

31KB
MD5

f7f516b14fc134392b625790c2ec7547
SHA1

deca895d934f4621817c817f8f6b8d1d581bc994
SHA256

7dd272af0224452794da59ff2662db3cd1acafc9d0ed39c299aebd1e832dfc8f
SHA512

e650b34fa87264015e7d525dad6120f27cffd04fb0b36d701a5b505b7df910cf3e3e27da52224eeb313d783c9f9491833690373a43b0cc561aec06f2a5c4571b
SSDEEP

768:O0ZROEMiH6PjpFwDLmkN585Nceu/CeuVIa5JWAEIdL:n6jiHwwDykNqNIaGAEy

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2388	sysdxvid.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	sysdxvid.exe
2868	sysdxvid.exe

Loads dropped DLL 6 IoCs

pid	Process
2088	f7f516b14fc134392b625790c2ec7547.exe
2088	f7f516b14fc134392b625790c2ec7547.exe
2388	sysdxvid.exe
2388	sysdxvid.exe
2388	sysdxvid.exe
2388	sysdxvid.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysdxvid = "c:\\windows\\system32\\sysdxvid.exe /nocomm"	f7f516b14fc134392b625790c2ec7547.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysdxvid = "c:\\windows\\system32\\sysdxvid.exe /nocomm"	sysdxvid.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\sysdxvid.exe	f7f516b14fc134392b625790c2ec7547.exe
File created	\??\c:\windows\SysWOW64\sysdxvid.exe	f7f516b14fc134392b625790c2ec7547.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2388	2088	f7f516b14fc134392b625790c2ec7547.exe	28
PID 2088 wrote to memory of 2388	2088	f7f516b14fc134392b625790c2ec7547.exe	28
PID 2088 wrote to memory of 2388	2088	f7f516b14fc134392b625790c2ec7547.exe	28
PID 2088 wrote to memory of 2388	2088	f7f516b14fc134392b625790c2ec7547.exe	28
PID 2388 wrote to memory of 2868	2388	sysdxvid.exe	29
PID 2388 wrote to memory of 2868	2388	sysdxvid.exe	29
PID 2388 wrote to memory of 2868	2388	sysdxvid.exe	29
PID 2388 wrote to memory of 2868	2388	sysdxvid.exe	29

C:\Users\Admin\AppData\Local\Temp\f7f516b14fc134392b625790c2ec7547.exe
"C:\Users\Admin\AppData\Local\Temp\f7f516b14fc134392b625790c2ec7547.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088
- C:\windows\SysWOW64\sysdxvid.exe
  "C:\windows\system32\sysdxvid.exe" -kill c:\users\admin\appdata\local\temp\f7f516b14fc134392b625790c2ec7547.exe /install
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\windows\SysWOW64\sysdxvid.exe
    "C:\windows\system32\sysdxvid.exe" -kill c:\windows\syswow64\sysdxvid.exe /install /install
    3⤵
    - Executes dropped EXE
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sysdxvid.exe

Filesize
31KB

MD5
f7f516b14fc134392b625790c2ec7547

SHA1
deca895d934f4621817c817f8f6b8d1d581bc994

SHA256
7dd272af0224452794da59ff2662db3cd1acafc9d0ed39c299aebd1e832dfc8f

SHA512
e650b34fa87264015e7d525dad6120f27cffd04fb0b36d701a5b505b7df910cf3e3e27da52224eeb313d783c9f9491833690373a43b0cc561aec06f2a5c4571b

Download Submit
memory/2088-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2088-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2088-6-0x00000000025A0000-0x00000000025B5000-memory.dmp

Filesize
84KB

Download
memory/2088-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2088-13-0x00000000025A0000-0x00000000025B5000-memory.dmp

Filesize
84KB

Download
memory/2388-15-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2388-19-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2388-25-0x0000000002420000-0x0000000002435000-memory.dmp

Filesize
84KB

Download
memory/2388-20-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2868-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads