Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Resource
win10v2004-20241007-en
General
-
Target
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
-
Size
7.8MB
-
MD5
a684e113d61b961ea1126ee633c4f492
-
SHA1
9f7ae3a756dc41ad79d738fb7245a09259da115c
-
SHA256
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd
-
SHA512
c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d
-
SSDEEP
98304:HsjeYOrRn+os45gaHrhdw3D7nTsReRR9e:HO41dw4ReRR9e
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exepid process 2104 sysx32.exe 2544 _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe -
Loads dropped DLL 3 IoCs
Processes:
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exepid process 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
Processes:
sysx32.exec129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exedescription ioc process File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe File created C:\Windows\SysWOW64\sysx32.exe c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe File opened for modification C:\Windows\SysWOW64\sysx32.exe c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
sysx32.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exedescription pid process target process PID 1704 wrote to memory of 2104 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe sysx32.exe PID 1704 wrote to memory of 2104 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe sysx32.exe PID 1704 wrote to memory of 2104 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe sysx32.exe PID 1704 wrote to memory of 2104 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe sysx32.exe PID 1704 wrote to memory of 2544 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1704 wrote to memory of 2544 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1704 wrote to memory of 2544 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1704 wrote to memory of 2544 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1704 wrote to memory of 2544 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1704 wrote to memory of 2544 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1704 wrote to memory of 2544 1704 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe"C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exeC:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Filesize7.8MB
MD5895c7684ad7f63f3989bdb1273f2f4c5
SHA12bc9e4e31391ddf7b186ccf2915c0fd900bbd984
SHA256f13d6647b0bf26c7cc3cbaad23f11c59bbf90c2469d5ea7041d3491973ae5680
SHA512badbefdbae543919a7e98f0972f74c5b78edd3eea7c9fd00d44d7a39e02ffaf001cb7bae8baa82ea856578e111d5274d4d244a63947a403f4161d1029ea54575
-
Filesize
7.8MB
MD5a684e113d61b961ea1126ee633c4f492
SHA19f7ae3a756dc41ad79d738fb7245a09259da115c
SHA256c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd
SHA512c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d