Analysis

  • max time kernel
    108s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 03:26

General

  • Target

    33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe

  • Size

    2.2MB

  • MD5

    6d8de13999ca4008e8256d3a252c6250

  • SHA1

    65440dc146439b0b7877f49f2f766dbdf564c4b1

  • SHA256

    33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206

  • SHA512

    816f6a429534dc7b4bc56e78be95008f8d1c28ccc237d424efb98adad8a3e7afe42694b4021df7a528412712e3fbb28a1136389f928efa75f1fbca1142133cac

  • SSDEEP

    24576:9jnxGj4svqaShRsUiTfjo5ya8j8bCVcPM9W4OnkSCIpUlZXUbOpz:9sj4svqaShRibza82ecXpUlZX3pz

Malware Config

Signatures

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe
    "C:\Users\Admin\AppData\Local\Temp\33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7z.exe

    Filesize

    2.2MB

    MD5

    fd97e598d27823df9104e939fd0550c2

    SHA1

    c2345fbe3a077b2701a54a581613a9c82885b493

    SHA256

    0b6db05f074af3485e96a29dfbc3c0e428f4dc36455705cec29670b4b5bfd692

    SHA512

    9adc5c291bb44b14c16a32c32226dce326b53b51ad83f8fe609e17c6829fe561f9116168b87c64a1a82c4deed24c95e4e3529f2cefac8f37b1099c08387525d5

  • C:\Windows\SysWOW64\sysx32.exe

    Filesize

    2.2MB

    MD5

    6d8de13999ca4008e8256d3a252c6250

    SHA1

    65440dc146439b0b7877f49f2f766dbdf564c4b1

    SHA256

    33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206

    SHA512

    816f6a429534dc7b4bc56e78be95008f8d1c28ccc237d424efb98adad8a3e7afe42694b4021df7a528412712e3fbb28a1136389f928efa75f1fbca1142133cac

  • memory/3336-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3336-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4076-1276-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4076-1277-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4076-2685-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4076-2686-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4076-2687-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB