Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 17:49

General

  • Target

    f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe

  • Size

    9.5MB

  • MD5

    5495d6fe74494d0e2e785b1ac2eb54a4

  • SHA1

    2e662a737fce0e6f7ecfacc2ea125606f3668773

  • SHA256

    f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576

  • SHA512

    cb00137fe655447522e490450de014bb189c4d6caafdce9f6ba4087e31650bbd5dc50f5fb848c58f94583b7acb00cb9f63a15c6b1515246667532e3361a63063

  • SSDEEP

    196608:d5RNoZujZZFpEgBDOZRHNrZ0WwPYwKmFSNse257H5jMe/NAWgd/i7D4/mO4y/i2K:7oYOZzrJaSNsjMWgd/i7C/iHh4WxPv

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
    "C:\Users\Admin\AppData\Local\Temp\f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:2040
    • C:\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
      C:\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe

    Filesize

    9.5MB

    MD5

    d0dceb3283fb65eafc82cacc6c36566e

    SHA1

    20c4635d178b0442b1e0d4f9a10d3bd44295a613

    SHA256

    483de379e69dc4b5e0bce31c15725dad13e51358a7b760002c8328e81c90bb31

    SHA512

    dde9ccbf277dd57554f7742f4a516e52415738cc03f777529c6bcd7f7585b234915f739b87646aaf831aa9c23f1f8b0d7698bacffb44d3158d279d5b81696a19

  • \Windows\SysWOW64\sysx32.exe

    Filesize

    9.5MB

    MD5

    5495d6fe74494d0e2e785b1ac2eb54a4

    SHA1

    2e662a737fce0e6f7ecfacc2ea125606f3668773

    SHA256

    f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576

    SHA512

    cb00137fe655447522e490450de014bb189c4d6caafdce9f6ba4087e31650bbd5dc50f5fb848c58f94583b7acb00cb9f63a15c6b1515246667532e3361a63063

  • memory/1700-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1700-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2040-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2104-15-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

  • memory/2104-23-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB