Analysis

  • max time kernel
    110s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 16:13

General

  • Target

    a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

  • Size

    9.5MB

  • MD5

    02461bcd9387cfb94a2ece08138b6110

  • SHA1

    d1388114984c46dcdaa62b806f3216735bbb79a6

  • SHA256

    a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed

  • SHA512

    ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c

  • SSDEEP

    196608:d5RNoZujZZFpEgBDOZRHNrZ0WwPYwKmFSNse257H5jMe/NAWgd/i7D4/mO4y/i2q:7oYOZzrJaSNsjMWgd/i7C/iHh4WxPf

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
    "C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:2920
    • C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
      C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

    Filesize

    9.5MB

    MD5

    7a98f5fca675a4b9253cbeb231a0adf9

    SHA1

    e672cce31524e7f09362bdeff01deb2d59db3b94

    SHA256

    61fadf8ae797f69625014760b601949d52e876801aeefec0ea825cdb861f18ac

    SHA512

    920f268530850d0d97bcc0094ec439a3fc5e067a846bffe65a5dc2125b8c6aadf3c2c2d6c0bca671b60aaf5750f69073f756615a78c810e42e218feecd67748a

  • \Windows\SysWOW64\sysx32.exe

    Filesize

    9.5MB

    MD5

    02461bcd9387cfb94a2ece08138b6110

    SHA1

    d1388114984c46dcdaa62b806f3216735bbb79a6

    SHA256

    a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed

    SHA512

    ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c

  • memory/320-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/320-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2636-15-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

  • memory/2636-22-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

  • memory/2920-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB