d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364

General

Target

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
Size

7.1MB
MD5

ef16186ca98cac06a6f224a0c7532fd7
SHA1

08ef445e63e7beed27e7f1d8468e4902fa713815
SHA256

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364
SHA512

eff1289310fed5635037f7ae9564e88eae67620a15d2eff19d821f8d0283380a3528b50f11dfd2bfd78ae951d3a3ce996c980fa16c5cf6336fac84c5737aed23
SSDEEP

49152:9ggkEaSIHYezZiNo7IcyO82MzufjWJA6ongaHLvKLA8VgbKW2llxobcJOu2Qt7YW:Smapj+os45gaHrhdw3D7nTsR

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

sysx32.exe_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

pid process

3032 sysx32.exe
2072 _d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

pid	process
3032	sysx32.exe
2072	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Loads dropped DLL 3 IoCs

Processes:

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

pid	process
2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe"	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

sysx32.exe

description ioc process

File opened (read-only) \??\A: sysx32.exe
File opened (read-only) \??\B: sysx32.exe

description	ioc	process
File opened (read-only)	\??\A:	sysx32.exe
File opened (read-only)	\??\B:	sysx32.exe

Drops file in System32 directory 3 IoCs

Processes:

sysx32.exed1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sysx32.exe	sysx32.exe
File created	C:\Windows\SysWOW64\sysx32.exe	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
File opened for modification	C:\Windows\SysWOW64\sysx32.exe	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Drops file in Program Files directory 2 IoCs

Processes:

sysx32.exe

description ioc process

File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe

description	ioc	process
File created	C:\Program Files\7-Zip\7z.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.tmp	sysx32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

description	pid	process	target process
PID 2112 wrote to memory of 3032	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	sysx32.exe
PID 2112 wrote to memory of 3032	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	sysx32.exe
PID 2112 wrote to memory of 3032	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	sysx32.exe
PID 2112 wrote to memory of 3032	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	sysx32.exe
PID 2112 wrote to memory of 2072	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
PID 2112 wrote to memory of 2072	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
PID 2112 wrote to memory of 2072	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
PID 2112 wrote to memory of 2072	2112	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

C:\Users\Admin\AppData\Local\Temp\d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
"C:\Users\Admin\AppData\Local\Temp\d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\sysx32.exe
  C:\Windows\system32\sysx32.exe /scan
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
  C:\Users\Admin\AppData\Local\Temp\_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
  2⤵
  - Executes dropped EXE
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Filesize
7.1MB

MD5
6aff99dfc1633fe190f57950d2babd58

SHA1
03e1d84c56e35e570e6be6f4b526b8cceaa670be

SHA256
34b557804a29a320eade8fc8617728ece81b656a3afca02dd7c3a851a9d29b71

SHA512
e2b9583d7061086fd9fc84e31404db872c5737fe5411c222b4bb99480c0248c414d1ffc4bc2ce854c16e9604e909c3ede53f84c1046c052c0ea44463a31f52e4

Download Submit
\Windows\SysWOW64\sysx32.exe

Filesize
7.1MB

MD5
ef16186ca98cac06a6f224a0c7532fd7

SHA1
08ef445e63e7beed27e7f1d8468e4902fa713815

SHA256
d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364

SHA512
eff1289310fed5635037f7ae9564e88eae67620a15d2eff19d821f8d0283380a3528b50f11dfd2bfd78ae951d3a3ce996c980fa16c5cf6336fac84c5737aed23

Download Submit
memory/2112-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-9-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/2112-7-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/2112-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads