Analysis

  • max time kernel
    110s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 16:13

General

  • Target

    a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

  • Size

    9.5MB

  • MD5

    02461bcd9387cfb94a2ece08138b6110

  • SHA1

    d1388114984c46dcdaa62b806f3216735bbb79a6

  • SHA256

    a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed

  • SHA512

    ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c

  • SSDEEP

    196608:d5RNoZujZZFpEgBDOZRHNrZ0WwPYwKmFSNse257H5jMe/NAWgd/i7D4/mO4y/i2q:7oYOZzrJaSNsjMWgd/i7C/iHh4WxPf

Malware Config

Signatures

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
    "C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4656
    • C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
      C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7z.exe

    Filesize

    9.5MB

    MD5

    7758cd67d501ac40ddf2c2e2b1131e6e

    SHA1

    8fca66ba5fcd94c9a660ea04caa21ac557d4e122

    SHA256

    8b2c8d7a94ce5b755fbcfb0029db1a502186658ae0544a6cd409d4ca1c3583b3

    SHA512

    aba3070bbd090206c20d32f1417b5b93599c0a620538edeb8c0fce28198edc0aa249dc87b3a1b486ea372c7eb7621ed35131e8bfb8d05d445ab57c6db026c8f0

  • C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

    Filesize

    9.5MB

    MD5

    7a98f5fca675a4b9253cbeb231a0adf9

    SHA1

    e672cce31524e7f09362bdeff01deb2d59db3b94

    SHA256

    61fadf8ae797f69625014760b601949d52e876801aeefec0ea825cdb861f18ac

    SHA512

    920f268530850d0d97bcc0094ec439a3fc5e067a846bffe65a5dc2125b8c6aadf3c2c2d6c0bca671b60aaf5750f69073f756615a78c810e42e218feecd67748a

  • C:\Windows\SysWOW64\sysx32.exe

    Filesize

    9.5MB

    MD5

    02461bcd9387cfb94a2ece08138b6110

    SHA1

    d1388114984c46dcdaa62b806f3216735bbb79a6

    SHA256

    a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed

    SHA512

    ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c

  • memory/4164-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4164-284-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-380-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-379-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-872-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-1413-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-2358-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-2694-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-2696-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-2698-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4656-2699-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB