Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 02:40

General

  • Target

    c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe

  • Size

    7.8MB

  • MD5

    a684e113d61b961ea1126ee633c4f492

  • SHA1

    9f7ae3a756dc41ad79d738fb7245a09259da115c

  • SHA256

    c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd

  • SHA512

    c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d

  • SSDEEP

    98304:HsjeYOrRn+os45gaHrhdw3D7nTsReRR9e:HO41dw4ReRR9e

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
    "C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:2104
    • C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
      C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe

    Filesize

    7.8MB

    MD5

    895c7684ad7f63f3989bdb1273f2f4c5

    SHA1

    2bc9e4e31391ddf7b186ccf2915c0fd900bbd984

    SHA256

    f13d6647b0bf26c7cc3cbaad23f11c59bbf90c2469d5ea7041d3491973ae5680

    SHA512

    badbefdbae543919a7e98f0972f74c5b78edd3eea7c9fd00d44d7a39e02ffaf001cb7bae8baa82ea856578e111d5274d4d244a63947a403f4161d1029ea54575

  • \Windows\SysWOW64\sysx32.exe

    Filesize

    7.8MB

    MD5

    a684e113d61b961ea1126ee633c4f492

    SHA1

    9f7ae3a756dc41ad79d738fb7245a09259da115c

    SHA256

    c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd

    SHA512

    c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d

  • memory/1704-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1704-11-0x00000000002B0000-0x00000000002C1000-memory.dmp

    Filesize

    68KB

  • memory/1704-10-0x00000000002B0000-0x00000000002C1000-memory.dmp

    Filesize

    68KB

  • memory/1704-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2104-21-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB