Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
Resource
win10v2004-20241007-en
General
-
Target
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
-
Size
4.3MB
-
MD5
5a0aa688b7636d0652bc8df285e9086b
-
SHA1
d8fcfea3e6bbebf16ed389e7e2fdbae8e37309be
-
SHA256
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231
-
SHA512
3e56444ab2e7ded5c173fd5b5018dd12b8d2adf7b5b7eca28d1ff0a9dd9a5a7902a21e4907de6f2a8d8f4c66f4c9c15dd2a733a6fe7b210367e8a3ef0715fbe2
-
SSDEEP
49152:9mr4rJLIQMaYkNU4CUPP/ax2KiPy9AuDzY:saZRUs/s2/Py9AuDzY
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4580 sysx32.exe 1380 _a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\G: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\clip.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Fondue.exe sysx32.exe File created C:\Windows\SysWOW64\gpupdate.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\odbcad32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cscript.exe sysx32.exe File created C:\Windows\SysWOW64\EhStorAuthn.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fontview.exe sysx32.exe File created C:\Windows\SysWOW64\help.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\replace.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\systeminfo.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\tcmsetup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cttune.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msra.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\unlodctr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dcomcnfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\print.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mshta.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe sysx32.exe File created C:\Windows\SysWOW64\AtBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\OpenWith.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe sysx32.exe File created C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\eventcreate.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\netiougc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\relog.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SettingSyncHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cacls.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\MRINFO.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\nslookup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Taskmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\write.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\regsvr32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\tttracer.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\replace.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sethc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\appidtel.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\at.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dpnsvr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\gpresult.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PickerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\tttracer.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\setup_wm.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1237_none_7578510aa0f564fa\r\vfpctrl.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.1_none_bddafe5ea5731fa2\bridgeunattend.exe sysx32.exe File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\b6c0024236e5d701ea9600001815341f.eshell.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\ApplySettingsTemplateCatalog.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\WpcUapApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-browsercore_31bf3856ad364e35_10.0.19041.1_none_10bedc609ddcdbdb\BrowserCore.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_64d83b9e511c141f\SecEdit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\UpdateNotificationMgr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_be8a8ad4892e651d\f\printui.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1_none_ee00310940a3cd37\wordpad.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-ie-iechooser_31bf3856ad364e35_11.0.19041.746_none_b60bd945ca2276e4\r\IEChooser.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.153_none_3c9b504ec5293ad0\r\WpcTok.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslhost_31bf3856ad364e35_10.0.19041.1151_none_329784a84ed43acd\f\wslhost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\wmpconfig.exe.tmp sysx32.exe File opened for modification C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Microsoft.AsyncTextService.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.19041.746_none_11e04cec24452336\r\dwm.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.264_none_9b436d497f039d6d\smartscreen.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_c77fb947e9eed73b\r\wscript.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\explorer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\SearchIndexer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\r\tttracer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1_none_e9b79397c28488a5\pcalua.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.264_none_2f9647f4d89dc6f5\f\explorer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-vssservice_31bf3856ad364e35_10.0.19041.746_none_38c6194376a6b88c\r\VSSVC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\r\SenseIR.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\mofcomp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_ca50a32caa12ab10\aspnet_regbrowsers.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\r\hnsdiag.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1202_none_ddf8c4144200f5b4\r\winresume.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.264_none_dc8146375466099a\DWWIN.EXE.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-grpconv_31bf3856ad364e35_10.0.19041.1_none_58793261dd0b5f7a\grpconv.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\f\WpcUapApp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1266_none_e488d49c8a22d21e\winlogon.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmssessionagent_31bf3856ad364e35_10.0.19041.746_none_7f157730d01dcdae\r\WmsSessionAgent.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\r\windeploy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\f\hvsiproxyapp.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\f\PerceptionSimulationService.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ces-backgroundagent_31bf3856ad364e35_10.0.19041.1_none_b0876c2e7a0b3a5f\SpaceAgent.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.19041.1_none_25afcd12036f5605\RMActivate_ssp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.1_none_e768b85cf7ad062e\TSWbPrxy.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5f557b607e14f541\ByteCodeGenerator.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\nvspinfo.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..mnotificationbroker_31bf3856ad364e35_10.0.19041.746_none_a5ade2e84580e250\f\DmNotificationBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\f\usocoreworker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_e20a2c618eea3856\f\agentactivationruntimestarter.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cttune_31bf3856ad364e35_10.0.19041.1_none_697599f55de29ec6\cttune.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_40b989c5d3ea9316\f\EaseOfAccessDialog.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.153_none_59d1094dec9b8480\r\Spectrum.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpinit.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\UNPUXHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\SgrmLpac.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_ef39acce2648e404\WerFaultSecure.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-omadmclient_31bf3856ad364e35_10.0.19041.1151_none_c86feb6936a97173\r\omadmclient.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_556ba5d1df8130ac\r\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_5bddc2e54ca343d3\LaunchWinApp.exe sysx32.exe File created C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_9627a04e40f9f001\SearchProtocolHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\f\hvc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-c..periencehost-broker_31bf3856ad364e35_10.0.19041.746_none_1ce3c0f12fb5f8ec\f\CloudExperienceHostBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\r\bcdboot.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_10.0.19041.844_none_3ca0ef366c7d7a84\n\Dism.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_f4a55c2c3386ed90\f\UserAccountBroker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.264_none_e6d5f08988c6cb95\r\DWWIN.EXE.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\r\ndadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appresolverux.appxmain_31bf3856ad364e35_10.0.19041.1_none_b719750f25d4cc37\AppResolverUX.exe.tmp sysx32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5060 wrote to memory of 4580 5060 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 84 PID 5060 wrote to memory of 4580 5060 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 84 PID 5060 wrote to memory of 4580 5060 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 84 PID 5060 wrote to memory of 1380 5060 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 85 PID 5060 wrote to memory of 1380 5060 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 85 PID 5060 wrote to memory of 1380 5060 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe"C:\Users\Admin\AppData\Local\Temp\a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\_a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exeC:\Users\Admin\AppData\Local\Temp\_a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD52f5e45b1d57b63dd0782dc957c4bf8ee
SHA1a45ec51ed589430f9fccf971467e86f49c1972fb
SHA2564e72d100b2d653654f60bbf7d0a98228dc5c230b6bb909427d7d87d822f2c5c5
SHA51240ebc6295af6fd3c5d2b0640b7d19dd8241c15559f7c3a6f25ed3e899d240aa9adb2872dad3e8035c23b3c6c5a820b982c1a1dcffef568bec5ae0a104033020c
-
C:\Users\Admin\AppData\Local\Temp\_a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
Filesize4.3MB
MD5caaf87a90d69d520b632dfcf2029873b
SHA1ffb03fae6a211bf838d26170e83361eee7e118b5
SHA25640599251098f6128fee0974117033fa78a6aa783dc234d490c955e535edb208a
SHA512d0449d9e37c67a71e3e9c42f3c2fa48c62de8a153520d3de030e79735fdc4ec913bf6a07c2bbbcc062a856ddfdc6443b97da2ccf807d8b52d3a072cd9b953cd8
-
Filesize
4.3MB
MD55a0aa688b7636d0652bc8df285e9086b
SHA1d8fcfea3e6bbebf16ed389e7e2fdbae8e37309be
SHA256a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231
SHA5123e56444ab2e7ded5c173fd5b5018dd12b8d2adf7b5b7eca28d1ff0a9dd9a5a7902a21e4907de6f2a8d8f4c66f4c9c15dd2a733a6fe7b210367e8a3ef0715fbe2