Analysis

  • max time kernel
    138s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 23:51

General

  • Target

    73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe

  • Size

    5.4MB

  • MD5

    3a50686f11cab9303e50a2de23064eb4

  • SHA1

    a970490596cdcd2efb186e482eb97c464232b625

  • SHA256

    73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b

  • SHA512

    b2457ea43fbbfc326d13f5ccf95b8cd02a46e483753f4b05c6b1db525d1d082c8ad156b48b5defb45069bca17a11fccac4f89bd3dd45b10b601b32fafde1d912

  • SSDEEP

    49152:9GGWdQtSgRWpAIRrRLzZiNo7IcyO82MzufjWJA6ongaHLvKLA8VgbKW2llxobcJC:IKTOrRn+os45gaHrhdwC

Malware Config

Signatures

  • Renames multiple (317) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe
    "C:\Users\Admin\AppData\Local\Temp\73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1128
    • C:\Users\Admin\AppData\Local\Temp\_73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe
      C:\Users\Admin\AppData\Local\Temp\_73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 884
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1008

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\UnblockRedo.exe

          Filesize

          5.4MB

          MD5

          1e86a8765e997371f9db3e179d5ef720

          SHA1

          1002792c11665c38cf361a752de5d4b5bb07b173

          SHA256

          bccc5f44dc8f89e930453ee855d63cef3aaad9e5aa204da86d8fd3803ddac5c6

          SHA512

          1ef708dba5251d4223d4a9454bab50b9fe8011392eca35809b08ef2993a39992efce7edaf57932ca33c94ad27a6e64a88197a7f807e63143920c4a9780daa229

        • C:\Users\Admin\AppData\Local\Temp\_73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe

          Filesize

          5.3MB

          MD5

          2961d9e7c399d6d047ef063757afec75

          SHA1

          05996a47e907d1858d3f900469bbb2ff9ea104df

          SHA256

          ffcd18191f60427b93eab508e3058f733ed5e9de9024cccf3df27e6df121eab4

          SHA512

          2ff2d2b812220efcd57659737504e08c8c6d024ec5f186ab5f7fd8c6316f1e0d16828ad248880f33f598de50b6d3e16a576b1e372f0092107d09db0ba913c099

        • C:\Windows\SysWOW64\sysx32.exe

          Filesize

          5.4MB

          MD5

          3a50686f11cab9303e50a2de23064eb4

          SHA1

          a970490596cdcd2efb186e482eb97c464232b625

          SHA256

          73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b

          SHA512

          b2457ea43fbbfc326d13f5ccf95b8cd02a46e483753f4b05c6b1db525d1d082c8ad156b48b5defb45069bca17a11fccac4f89bd3dd45b10b601b32fafde1d912

        • memory/1128-763-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1128-1003-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1128-2700-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1128-2701-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1128-2702-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3396-56-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3396-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3552-16-0x00007FFB5BFA5000-0x00007FFB5BFA6000-memory.dmp

          Filesize

          4KB

        • memory/3552-23-0x00007FFB5BCF0000-0x00007FFB5C691000-memory.dmp

          Filesize

          9.6MB

        • memory/3552-29-0x00007FFB5BCF0000-0x00007FFB5C691000-memory.dmp

          Filesize

          9.6MB

        • memory/3552-54-0x00007FFB5BCF0000-0x00007FFB5C691000-memory.dmp

          Filesize

          9.6MB