Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 23:12
Static task
static1
Behavioral task
behavioral1
Sample
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
Resource
win10v2004-20241007-en
General
-
Target
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
-
Size
4.9MB
-
MD5
52e3c216b043490cdbb87e17218f4d47
-
SHA1
e21be588a01cb4022dafe84eb9c88305532b17ff
-
SHA256
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
-
SHA512
d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526
-
SSDEEP
49152:9wQ/xFnOvtaWIDn0a2qnqYQVMkL+q/vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPAFz:OqaklJKvS0Hpe4zbpaAKQkroGIC
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3036 sysx32.exe 2708 _64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe -
Loads dropped DLL 3 IoCs
pid Process 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysx32.exe 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe File opened for modification C:\Windows\SysWOW64\sysx32.exe 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2980 wrote to memory of 3036 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 30 PID 2980 wrote to memory of 3036 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 30 PID 2980 wrote to memory of 3036 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 30 PID 2980 wrote to memory of 3036 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 30 PID 2980 wrote to memory of 2708 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 31 PID 2980 wrote to memory of 2708 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 31 PID 2980 wrote to memory of 2708 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 31 PID 2980 wrote to memory of 2708 2980 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exeC:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe2⤵
- Executes dropped EXE
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
Filesize4.9MB
MD5b4f9829423e89017d71f0be914831ab3
SHA1ea4b8f722d4a177637f004317027f48789cc0c8a
SHA25623c59c9297ff0792f2da83712f322107ce8f6221b7772b18e6d847b25dfc5a89
SHA512d98c81a77d812a7055771d8be77eb34e52ac0e07cf4188058a5e323f11adfcd42926ec4f3fdacb35e33097640f7fc9d4eca1c6eb3c5951f620f573c6d14d8ebe
-
Filesize
4.9MB
MD552e3c216b043490cdbb87e17218f4d47
SHA1e21be588a01cb4022dafe84eb9c88305532b17ff
SHA25664c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
SHA512d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526