Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2024, 23:12

General

  • Target

    64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

  • Size

    4.9MB

  • MD5

    52e3c216b043490cdbb87e17218f4d47

  • SHA1

    e21be588a01cb4022dafe84eb9c88305532b17ff

  • SHA256

    64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf

  • SHA512

    d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526

  • SSDEEP

    49152:9wQ/xFnOvtaWIDn0a2qnqYQVMkL+q/vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPAFz:OqaklJKvS0Hpe4zbpaAKQkroGIC

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
    "C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:3036
    • C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
      C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
      2⤵
      • Executes dropped EXE
      PID:2708

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

          Filesize

          4.9MB

          MD5

          b4f9829423e89017d71f0be914831ab3

          SHA1

          ea4b8f722d4a177637f004317027f48789cc0c8a

          SHA256

          23c59c9297ff0792f2da83712f322107ce8f6221b7772b18e6d847b25dfc5a89

          SHA512

          d98c81a77d812a7055771d8be77eb34e52ac0e07cf4188058a5e323f11adfcd42926ec4f3fdacb35e33097640f7fc9d4eca1c6eb3c5951f620f573c6d14d8ebe

        • C:\Windows\SysWOW64\sysx32.exe

          Filesize

          4.9MB

          MD5

          52e3c216b043490cdbb87e17218f4d47

          SHA1

          e21be588a01cb4022dafe84eb9c88305532b17ff

          SHA256

          64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf

          SHA512

          d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526

        • memory/2708-17-0x0000000000880000-0x000000000088E000-memory.dmp

          Filesize

          56KB

        • memory/2708-16-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

          Filesize

          4KB

        • memory/2980-18-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2980-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3036-20-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB