Analysis

  • max time kernel
    141s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 02:40

General

  • Target

    c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe

  • Size

    7.8MB

  • MD5

    a684e113d61b961ea1126ee633c4f492

  • SHA1

    9f7ae3a756dc41ad79d738fb7245a09259da115c

  • SHA256

    c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd

  • SHA512

    c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d

  • SSDEEP

    98304:HsjeYOrRn+os45gaHrhdw3D7nTsReRR9e:HO41dw4ReRR9e

Malware Config

Signatures

  • Renames multiple (317) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
    "C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2464
    • C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
      C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
      2⤵
      • Executes dropped EXE
      PID:1352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7z.exe

    Filesize

    7.8MB

    MD5

    f6ed3c809e43a7f3eece2ef250d5bef7

    SHA1

    bcef9d73da9a1e60f22c550d3a4839c03464b2c7

    SHA256

    b4315278cde6a8b699f169b72a08dec1dbe31becfcc00ff719beee4d67059dc0

    SHA512

    c3815d680a28c032a9bd19edd5f3f98a3b515f2a4c14ee91edb2b305b9ab4142080a396061db2646582ff2663d35734d64cae7a29726be179b164b7d1d94eed8

  • C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe

    Filesize

    7.8MB

    MD5

    895c7684ad7f63f3989bdb1273f2f4c5

    SHA1

    2bc9e4e31391ddf7b186ccf2915c0fd900bbd984

    SHA256

    f13d6647b0bf26c7cc3cbaad23f11c59bbf90c2469d5ea7041d3491973ae5680

    SHA512

    badbefdbae543919a7e98f0972f74c5b78edd3eea7c9fd00d44d7a39e02ffaf001cb7bae8baa82ea856578e111d5274d4d244a63947a403f4161d1029ea54575

  • C:\Windows\SysWOW64\sysx32.exe

    Filesize

    7.8MB

    MD5

    a684e113d61b961ea1126ee633c4f492

    SHA1

    9f7ae3a756dc41ad79d738fb7245a09259da115c

    SHA256

    c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd

    SHA512

    c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d

  • memory/1732-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1732-97-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2464-944-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2464-943-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2464-1991-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2464-2691-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2464-2692-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2464-2693-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB