Analysis
-
max time kernel
141s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Resource
win10v2004-20241007-en
General
-
Target
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
-
Size
7.8MB
-
MD5
a684e113d61b961ea1126ee633c4f492
-
SHA1
9f7ae3a756dc41ad79d738fb7245a09259da115c
-
SHA256
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd
-
SHA512
c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d
-
SSDEEP
98304:HsjeYOrRn+os45gaHrhdw3D7nTsReRR9e:HO41dw4ReRR9e
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exepid process 2464 sysx32.exe 1352 _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc process File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\R: sysx32.exe -
Drops file in System32 directory 64 IoCs
Processes:
sysx32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\DpiScaling.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\provlaunch.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\raserver.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\resmon.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SyncHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\WerFaultSecure.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dialer.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SndVol.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sxstrace.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\findstr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Netplwiz.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\subst.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SecEdit.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\at.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mavinject.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSa.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\EaseOfAccessDialog.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\expand.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ktmutil.exe sysx32.exe File created C:\Windows\SysWOW64\perfhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe sysx32.exe File created C:\Windows\SysWOW64\colorcpl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wbem\WMIC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dtdump.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\DWWIN.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mmgaserver.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\newdev.exe sysx32.exe File created C:\Windows\SysWOW64\stordiag.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\BackgroundTransferHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\EhStorAuthn.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mstsc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\OneDriveSetup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\doskey.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\notepad.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\userinit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cmdkey.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Magnify.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSa.exe sysx32.exe File created C:\Windows\SysWOW64\setx.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\WPDShextAutoplay.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe sysx32.exe File created C:\Windows\SysWOW64\fc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\netsh.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe sysx32.exe File created C:\Windows\SysWOW64\verifiergui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\certutil.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Dism.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dllhst3g.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sysx32.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe sysx32.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.tmp sysx32.exe File created C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe.tmp sysx32.exe File created C:\Program Files (x86)\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe sysx32.exe File created C:\Program Files\Mozilla Firefox\updater.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
Processes:
sysx32.exedescription ioc process File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1_none_2f8c879e7c6f8b16\rasphone.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_c77fb947e9eed73b\f\cscript.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\r\Utilman.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\fixmapi.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_3bcd0306a19592e2\Robocopy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_03cd5b18c0751679\mstsc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1081_none_f52da7b1195e2d45\r\DiskSnapshot.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\plasrv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_f68db62a3702882b\SearchProtocolHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\msil_hyperv-ux-ui-vmimport_31bf3856ad364e35_10.0.19041.1_none_db0db48be3885975\VMImport.exe sysx32.exe File created C:\Windows\WinSxS\Temp\PendingDeletes\aa9a364536e5d701869a00001815341f.inetinfo.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-xcopy_31bf3856ad364e35_10.0.19041.1_none_233b627ec80a87f1\xcopy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_27f9f931a79d1cbe\r\mavinject.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\splwow64.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\diskperf.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\rasautou.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.19041.928_none_1d29b4735b607954\services.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_1a55178fad503598\ttdinject.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\f\LaunchTM.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.19041.1_none_e73c658ee671e530\ChtIME.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\f\WpcUapApp.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_ea34e25ca28496c3\tzutil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\r\SecurityHealthService.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-xcopy_31bf3856ad364e35_10.0.19041.1_none_233b627ec80a87f1\xcopy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\r\iexplore.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-icm-ui_31bf3856ad364e35_10.0.19041.746_none_22a6ac8933ff6d5e\colorcpl.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-core_31bf3856ad364e35_10.0.19041.264_none_92ee62a6d5b1c18a\fhmanagew.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ces-backgroundagent_31bf3856ad364e35_10.0.19041.1_none_b0876c2e7a0b3a5f\SpaceAgent.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\taskhostw.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.1_none_5c82be53abe61670\PnPUnattend.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.1266_none_18784aba5fcd68cc\TokenBrokerCookies.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1266_none_23ae8c0349f1b325\UsoClient.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\FXSCOVER.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\FileExplorer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.1266_none_e2f3aaf24de135ec\r\Magnify.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bioenrollment.appxmain_31bf3856ad364e35_10.0.19041.844_none_de5d9fe254d9f8c4\f\BioEnrollmentHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.84_none_dd81fb99bc3b1e53\r\NgcIso.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.746_none_7c508e4438cec899\phoneactivate.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-grpconv_31bf3856ad364e35_10.0.19041.1_none_62cddcb4116c2175\grpconv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_a892faef80a943dc\MuiUnattend.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.1288_none_d616f4b76bd7b8a2\r\CustomInstallExec.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.264_none_3f30ef10158954bf\f\ApplyTrustOffline.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\r\SpatialAudioLicenseSrv.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.1_none_1f65f7473443d565\cmdl32.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgport.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1266_none_a88c5999d8585853\r\pcalua.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\splwow64.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.19041.84_none_027c502c6e331223\SppExtComObj.Exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..pdate-oob-component_31bf3856ad364e35_10.0.19041.84_none_e539abe3d27f675f\rdvgm.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.207_none_8d07de31084775c6\r\wuauclt.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\f\WFS.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\r\lpremove.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_b4441130315b5f1f\mmgaserver.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\Microsoft.Uev.SyncController.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorQuickStart.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.1_none_a541e711f3b2a478\mobsync.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_10.0.19041.1_none_8b6323099e7e4441\aspnet_regiis.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\r\rmttpmvscmgrsvr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_b42ad8618bda36bd\TpmTool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\f\SearchFilterHost.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exesysx32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exedescription pid process target process PID 1732 wrote to memory of 2464 1732 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe sysx32.exe PID 1732 wrote to memory of 2464 1732 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe sysx32.exe PID 1732 wrote to memory of 2464 1732 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe sysx32.exe PID 1732 wrote to memory of 1352 1732 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1732 wrote to memory of 1352 1732 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe PID 1732 wrote to memory of 1352 1732 c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe _c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe"C:\Users\Admin\AppData\Local\Temp\c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exeC:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe2⤵
- Executes dropped EXE
PID:1352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.8MB
MD5f6ed3c809e43a7f3eece2ef250d5bef7
SHA1bcef9d73da9a1e60f22c550d3a4839c03464b2c7
SHA256b4315278cde6a8b699f169b72a08dec1dbe31becfcc00ff719beee4d67059dc0
SHA512c3815d680a28c032a9bd19edd5f3f98a3b515f2a4c14ee91edb2b305b9ab4142080a396061db2646582ff2663d35734d64cae7a29726be179b164b7d1d94eed8
-
C:\Users\Admin\AppData\Local\Temp\_c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd.exe
Filesize7.8MB
MD5895c7684ad7f63f3989bdb1273f2f4c5
SHA12bc9e4e31391ddf7b186ccf2915c0fd900bbd984
SHA256f13d6647b0bf26c7cc3cbaad23f11c59bbf90c2469d5ea7041d3491973ae5680
SHA512badbefdbae543919a7e98f0972f74c5b78edd3eea7c9fd00d44d7a39e02ffaf001cb7bae8baa82ea856578e111d5274d4d244a63947a403f4161d1029ea54575
-
Filesize
7.8MB
MD5a684e113d61b961ea1126ee633c4f492
SHA19f7ae3a756dc41ad79d738fb7245a09259da115c
SHA256c129ffd83c2cb98d073379f1843b46aad759ec0eb4804f99387aa9562719dedd
SHA512c495fef50a9080b6194411617d08e3da1f18166c1edb6e5943f6300feac614c16907b91d85b3d5e4280c4fbf30acdefe26a00cadb8fa9298cb5a11764b0e388d