Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 17:49
Static task
static1
Behavioral task
behavioral1
Sample
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
Resource
win10v2004-20241007-en
General
-
Target
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
-
Size
9.5MB
-
MD5
5495d6fe74494d0e2e785b1ac2eb54a4
-
SHA1
2e662a737fce0e6f7ecfacc2ea125606f3668773
-
SHA256
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576
-
SHA512
cb00137fe655447522e490450de014bb189c4d6caafdce9f6ba4087e31650bbd5dc50f5fb848c58f94583b7acb00cb9f63a15c6b1515246667532e3361a63063
-
SSDEEP
196608:d5RNoZujZZFpEgBDOZRHNrZ0WwPYwKmFSNse257H5jMe/NAWgd/i7D4/mO4y/i2K:7oYOZzrJaSNsjMWgd/i7C/iHh4WxPv
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
sysx32.exe_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exepid Process 2040 sysx32.exe 2104 _f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 1204 -
Loads dropped DLL 4 IoCs
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exepid Process 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exesysx32.exedescription ioc Process File created C:\Windows\SysWOW64\sysx32.exe f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe File opened for modification C:\Windows\SysWOW64\sysx32.exe f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exepid Process 2104 _f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 2104 _f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exedescription pid Process procid_target PID 1700 wrote to memory of 2040 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 30 PID 1700 wrote to memory of 2040 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 30 PID 1700 wrote to memory of 2040 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 30 PID 1700 wrote to memory of 2040 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 30 PID 1700 wrote to memory of 2104 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 31 PID 1700 wrote to memory of 2104 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 31 PID 1700 wrote to memory of 2104 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 31 PID 1700 wrote to memory of 2104 1700 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe"C:\Users\Admin\AppData\Local\Temp\f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exeC:\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
Filesize9.5MB
MD5d0dceb3283fb65eafc82cacc6c36566e
SHA120c4635d178b0442b1e0d4f9a10d3bd44295a613
SHA256483de379e69dc4b5e0bce31c15725dad13e51358a7b760002c8328e81c90bb31
SHA512dde9ccbf277dd57554f7742f4a516e52415738cc03f777529c6bcd7f7585b234915f739b87646aaf831aa9c23f1f8b0d7698bacffb44d3158d279d5b81696a19
-
Filesize
9.5MB
MD55495d6fe74494d0e2e785b1ac2eb54a4
SHA12e662a737fce0e6f7ecfacc2ea125606f3668773
SHA256f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576
SHA512cb00137fe655447522e490450de014bb189c4d6caafdce9f6ba4087e31650bbd5dc50f5fb848c58f94583b7acb00cb9f63a15c6b1515246667532e3361a63063