Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/11/2024, 00:39
Static task
static1
Behavioral task
behavioral1
Sample
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
Resource
win10v2004-20241007-en
General
-
Target
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
-
Size
4.9MB
-
MD5
661d0561ddceaf9ae6edf8a50b6c26c0
-
SHA1
b1dd6be08f907050574f7102dfc83fd7223c0179
-
SHA256
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f
-
SHA512
c8b342af6e7180f99a0acf5c77a60a5b2d58c49c884dd929238797e27b79de8d9dece2d4444a7349f1e84ff036852a94f09608be24e80c0c56e80cc043719474
-
SSDEEP
49152:9m/xFnOvtaWIDn0a2qnqYQVMkL+q/vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPAFIA:uaklJKvS0Hpe4zbpaAKQkroGIC
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2380 sysx32.exe 2540 _dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe -
Loads dropped DLL 3 IoCs
pid Process 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sysx32.exe dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe File created C:\Windows\SysWOW64\sysx32.exe dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2380 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 30 PID 2548 wrote to memory of 2380 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 30 PID 2548 wrote to memory of 2380 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 30 PID 2548 wrote to memory of 2380 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 30 PID 2548 wrote to memory of 2540 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 31 PID 2548 wrote to memory of 2540 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 31 PID 2548 wrote to memory of 2540 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 31 PID 2548 wrote to memory of 2540 2548 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exeC:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe2⤵
- Executes dropped EXE
PID:2540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
Filesize4.9MB
MD584aa72f040ae8f9e022bc1e9f7239d68
SHA1316a576cacc2cf63e8c698dcd5ee66be0b88643d
SHA2566faacf875bf79d89a97296dba832a12eedfb44dde44d8119e3e212a8afa7d5b7
SHA5124314af0eb37069c7c61ca57f8fe5bedf61524e6fed2a4d3b40b63c8abb1dff12ea00cda864c31106b8af34863d379f8428e3e7942b3edb7b58e325c15bc58e71
-
Filesize
4.9MB
MD5661d0561ddceaf9ae6edf8a50b6c26c0
SHA1b1dd6be08f907050574f7102dfc83fd7223c0179
SHA256dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f
SHA512c8b342af6e7180f99a0acf5c77a60a5b2d58c49c884dd929238797e27b79de8d9dece2d4444a7349f1e84ff036852a94f09608be24e80c0c56e80cc043719474