Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 18:35
Static task
static1
Behavioral task
behavioral1
Sample
112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe
Resource
win10v2004-20241007-en
General
-
Target
112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe
-
Size
2.1MB
-
MD5
329a2103d99a25fbf2d790898f5bb955
-
SHA1
0c907ed25959a21e79b840bed88742e214f6c8f9
-
SHA256
112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0
-
SHA512
c0332fa403c933ed0aee8ecbb40641eb96048b66f57587b885ae14f801b8e3ed32e2ea1e059740a8edc1607d4153b12dccbf3f77e9ea0422201d67120279c220
-
SSDEEP
49152:9aenqqr9wJI6S7RSSon9X6f4IeY0+h1s410I1xIdcxyNt:senq29lFHon9X5Iddq41Lxry
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2068 sysx32.exe 3980 _112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\M: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\clip.exe sysx32.exe File created C:\Windows\SysWOW64\proquota.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\systeminfo.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\relog.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tzutil.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Robocopy.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\regsvr32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\resmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cmd.exe sysx32.exe File created C:\Windows\SysWOW64\mobsync.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mshta.exe sysx32.exe File created C:\Windows\SysWOW64\printui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\icsunattend.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sort.exe sysx32.exe File created C:\Windows\SysWOW64\userinit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\prevhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Robocopy.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sdchange.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ttdinject.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cmdkey.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\gpupdate.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\OpenWith.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\user.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mshta.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ReAgentc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\replace.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SndVol.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TpmTool.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\auditpol.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PING.EXE sysx32.exe File created C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\logagent.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE sysx32.exe File created C:\Windows\SysWOW64\TpmTool.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Com\MigRegDB.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ComputerDefaults.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\msdt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\odbcconf.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bootcfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\lodctr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ipconfig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PickerHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\stordiag.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\WerFaultSecure.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe.tmp sysx32.exe File created C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE sysx32.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe sysx32.exe File created C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpshare.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE sysx32.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_8457b34a3423f6d0\resmon.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_7d1b4a535854fe42\r\quickassist.exe.tmp sysx32.exe File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.546_none_f786fa028426f858\r\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\r\CertEnrollCtrl.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_10.0.19041.1_none_8ddc3834fb6f659f\iscsicpl.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.19041.1081_none_956906931b26e27a\winrshost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1_none_bf56a5e7532d9c79\licensingdiag.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-alg_31bf3856ad364e35_10.0.19041.1_none_5eda5fa3fa7c0fb7\alg.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.928_none_0f531ea0d233243b\DiagnosticsHub.StandardCollector.Service.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.1202_none_fdbbcf53ca14e151\r\wimserv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.1_none_d9d36ad7f915f657\fltMC.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-openfiles_31bf3856ad364e35_10.0.19041.1_none_a76c1ed6be227279\openfiles.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\r\windeploy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\f\explorer.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ldifde_31bf3856ad364e35_10.0.19041.1_none_d6d84e47a8300235\ldifde.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_9fcce199936290f4\r\upnpcont.exe sysx32.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-applaunch_exe_b03f5f7f11d50a3a_4.0.15805.0_none_f04c7dcfd4283324\AppLaunch.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6012c8cabf808ff7\pcaui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_40d14f6c04397868\agentactivationruntimestarter.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.1266_none_18784aba5fcd68cc\TokenBrokerCookies.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_6f2ce5f0857cd61a\SecEdit.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-winhstb_31bf3856ad364e35_10.0.19041.1_none_e94bc62edd251a47\winhlp32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1_none_522bacd027283125\UwfServicingShell.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_228521f0037fd996\f\PickerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.19041.1237_none_9d556cf140e198b4\r\RecoveryDrive.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..up-deviceencryption_31bf3856ad364e35_10.0.19041.1202_none_4f22e21b58d6c2e3\r\BitLockerDeviceEncryption.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\netiougc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1_none_ee00310940a3cd37\wordpad.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.1_none_7c197eeaa6d7861f\SndVol.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.1_none_f4025a506f9e9f01\bootim.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\r\PrintIsolationHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\MusNotificationUx.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appresolverux.appxmain_31bf3856ad364e35_10.0.19041.1_none_b719750f25d4cc37\AppResolverUX.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1_none_f35caf2131abed9a\lsass.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\f\SecureAssessmentBrowser.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.264_none_9b436d497f039d6d\f\smartscreen.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-application..egistrationverifier_31bf3856ad364e35_10.0.19041.1_none_3ce17495646dbeaa\AppHostRegistrationVerifier.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_be8a8ad4892e651d\printui.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\r\sdchange.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_10.0.19041.1_none_e6643fd4db9b8479\SystemPropertiesComputerName.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sensordataservice_31bf3856ad364e35_10.0.19041.746_none_dbfd31e3890afb72\SensorDataService.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.84_none_51ae5c25baf813ff\r\SgrmBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_f0aa60ae9c531752\CasPol.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..eapplifetimemanager_31bf3856ad364e35_10.0.19041.746_none_45062eb997366a7f\RemoteAppLifetimeManager.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.19041.1_none_4c44763647728882\RuntimeBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_be98bb8265bc211a\r\mmgaserver.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_2cd9cc4237e09b91\r\PickerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fsavailux_31bf3856ad364e35_10.0.19041.1_none_60b99066bd2f6d16\fsavailux.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\hvsiproxyapp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\aspnetca.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.19041.746_none_18c3ddf7dbfedda0\PinEnrollmentBroker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\f\sysprep.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dlna-mdeserver_31bf3856ad364e35_10.0.19041.746_none_b4017de081b11e02\r\MDEServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1_none_76c543231c2d8e03\wevtutil.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4\vdsldr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_10.0.19041.1_none_4a6487592c595dd4\mpnotify.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\gpupdate.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\WmiApSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_4b25f9be389a3a63\agentactivationruntimestarter.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4312 wrote to memory of 2068 4312 112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe 84 PID 4312 wrote to memory of 2068 4312 112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe 84 PID 4312 wrote to memory of 2068 4312 112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe 84 PID 4312 wrote to memory of 3980 4312 112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe 85 PID 4312 wrote to memory of 3980 4312 112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe"C:\Users\Admin\AppData\Local\Temp\112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\_112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exeC:\Users\Admin\AppData\Local\Temp\_112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe2⤵
- Executes dropped EXE
PID:3980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5bed79f222c10a509136789998e4e3113
SHA1441597c08915869b63480acac41790b7b88119db
SHA256d4d6e88e3dfeb378a18c6fbd54ab5e1ec27093036d048e7d09eebd51519791c5
SHA5125802afdfe6d3dbd8b106e0bf99a67598412a482904c5a27e4e7fbe90bf0111badc2b83cb7d32f8aad7f6342620e058baf0e720af39f4b1f2f8e599557aa26e0d
-
C:\Users\Admin\AppData\Local\Temp\_112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0.exe
Filesize2.0MB
MD5df35d9172bf5a58117f2d813913bcc18
SHA196af63c8c77ff5c4f3f9bf30f60075440b6efe2e
SHA2564a991aae43ada51c66d1cc2a8e31a6578838ecfb45f9c9c53d64f7d877afc086
SHA5123a5a1194f5c33b86b8b596c1decdcc1d4cf911f1c8eb1e31c11e518ea7c8e0d33ce983405dd500db70cee499ae71e77d715c76affad0a842fde4ab03cd357104
-
Filesize
2.1MB
MD5329a2103d99a25fbf2d790898f5bb955
SHA10c907ed25959a21e79b840bed88742e214f6c8f9
SHA256112f97adc478d981255bc946cbb4f0a4abb312ab9c3092052db515944c27a4c0
SHA512c0332fa403c933ed0aee8ecbb40641eb96048b66f57587b885ae14f801b8e3ed32e2ea1e059740a8edc1607d4153b12dccbf3f77e9ea0422201d67120279c220