Analysis
-
max time kernel
142s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 00:40
Static task
static1
Behavioral task
behavioral1
Sample
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
Resource
win10v2004-20241007-en
General
-
Target
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
-
Size
4.3MB
-
MD5
5a0aa688b7636d0652bc8df285e9086b
-
SHA1
d8fcfea3e6bbebf16ed389e7e2fdbae8e37309be
-
SHA256
a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231
-
SHA512
3e56444ab2e7ded5c173fd5b5018dd12b8d2adf7b5b7eca28d1ff0a9dd9a5a7902a21e4907de6f2a8d8f4c66f4c9c15dd2a733a6fe7b210367e8a3ef0715fbe2
-
SSDEEP
49152:9mr4rJLIQMaYkNU4CUPP/ax2KiPy9AuDzY:saZRUs/s2/Py9AuDzY
Malware Config
Signatures
-
Renames multiple (298) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4216 sysx32.exe 1340 _a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\dtdump.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\comp.exe sysx32.exe File created C:\Windows\SysWOW64\RpcPing.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ftp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ReAgentc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WWAHost.exe sysx32.exe File created C:\Windows\SysWOW64\eudcedit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mshta.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\netbtugc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wscadminui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\MuiUnattend.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe sysx32.exe File created C:\Windows\SysWOW64\ThumbnailExtractionHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TokenBrokerCookies.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\explorer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ieUnatt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe sysx32.exe File created C:\Windows\SysWOW64\tracerpt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Com\MigRegDB.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\curl.exe sysx32.exe File created C:\Windows\SysWOW64\ftp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\systray.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Dism.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\write.exe sysx32.exe File created C:\Windows\SysWOW64\autofmt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\GameBarPresenceWriter.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Magnify.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wextract.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\xwizard.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\clip.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cipher.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cttune.exe sysx32.exe File created C:\Windows\SysWOW64\doskey.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\expand.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\GamePanel.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\psr.exe sysx32.exe File created C:\Windows\SysWOW64\Register-CimProvider.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe sysx32.exe File created C:\Windows\SysWOW64\wscript.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe.tmp sysx32.exe File created C:\Program Files (x86)\Internet Explorer\ielowutil.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe.tmp sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\7zFM.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\AppVDllSurrogate.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.1_none_04930b2bd1f9871f\Microsoft.AsyncTextService.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\SyncAppvPublishingServer.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\hnsdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\CasPol.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1266_none_7e2b6be969016c27\f\licensingdiag.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\ScriptRunner.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-vmsp_31bf3856ad364e35_10.0.19041.1_none_39d506065bd87607\vmsp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\ClipUp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6012c8cabf808ff7\r\pcaui.exe sysx32.exe File created C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\AddSuggestedFoldersToLibraryDialog.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\f\hvix64.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\r\vmms.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_b817dbd29134ec4d\GameBarPresenceWriter.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\hcsdiag.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\r\windeploy.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..esslockapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_eddf8132c42e0857\AssignedAccessLockApp.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_4.0.15805.0_none_aadf84cda75da02d\aspnet_regsql.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..perience-ait-static_31bf3856ad364e35_10.0.19041.1202_none_a5a4c3f2637b55fa\aitstatic.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1_none_9613f8b833f2e8f1\ByteCodeGenerator.exe sysx32.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\vmcompute.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\SyncAppvPublishingServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_d7b5820f5a89765b\agentactivationruntimestarter.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1266_none_7e2b6be969016c27\f\licensingdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\r\hvix64.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.746_none_c291aefd01a5d6d6\EoAExperiences.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_bsdtar_31bf3856ad364e35_10.0.19041.1_none_0c1f19c50b5e5f6e\tar.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVShNotify.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..roblemstepsrecorder_31bf3856ad364e35_10.0.19041.746_none_b8eadbf8a9c907b3\f\psr.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\r\vmcompute.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-e..taprotectioncleanup_31bf3856ad364e35_10.0.19041.789_none_b38221af158e5881\f\EDPCleanup.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.746_none_6ba9668b45cb4938\r\IcsEntitlementHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-uevservice_31bf3856ad364e35_10.0.19041.1288_none_f26bd0dcdf662cc9\f\AgentService.exe sysx32.exe File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.1_none_3d521dedd6c76700\hcsdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.19041.1288_none_e25de9f9d964cdad\r\conhost.exe sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.1_none_23025624c75c162f\oobeldr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..eapplifetimemanager_31bf3856ad364e35_10.0.19041.746_none_45062eb997366a7f\r\RemoteAppLifetimeManager.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.423_none_2cade1bc915dca0d\r\Microsoft.AsyncTextService.exe.tmp sysx32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4872 wrote to memory of 4216 4872 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 84 PID 4872 wrote to memory of 4216 4872 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 84 PID 4872 wrote to memory of 4216 4872 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 84 PID 4872 wrote to memory of 1340 4872 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 85 PID 4872 wrote to memory of 1340 4872 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 85 PID 4872 wrote to memory of 1340 4872 a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe"C:\Users\Admin\AppData\Local\Temp\a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\_a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exeC:\Users\Admin\AppData\Local\Temp\_a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD52f5e45b1d57b63dd0782dc957c4bf8ee
SHA1a45ec51ed589430f9fccf971467e86f49c1972fb
SHA2564e72d100b2d653654f60bbf7d0a98228dc5c230b6bb909427d7d87d822f2c5c5
SHA51240ebc6295af6fd3c5d2b0640b7d19dd8241c15559f7c3a6f25ed3e899d240aa9adb2872dad3e8035c23b3c6c5a820b982c1a1dcffef568bec5ae0a104033020c
-
C:\Users\Admin\AppData\Local\Temp\_a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231.exe
Filesize4.3MB
MD5caaf87a90d69d520b632dfcf2029873b
SHA1ffb03fae6a211bf838d26170e83361eee7e118b5
SHA25640599251098f6128fee0974117033fa78a6aa783dc234d490c955e535edb208a
SHA512d0449d9e37c67a71e3e9c42f3c2fa48c62de8a153520d3de030e79735fdc4ec913bf6a07c2bbbcc062a856ddfdc6443b97da2ccf807d8b52d3a072cd9b953cd8
-
Filesize
4.3MB
MD55a0aa688b7636d0652bc8df285e9086b
SHA1d8fcfea3e6bbebf16ed389e7e2fdbae8e37309be
SHA256a5482ac8e21a9dd72a8391748b68fcc47c75bb5d6b9557e8ef747beb2db3e231
SHA5123e56444ab2e7ded5c173fd5b5018dd12b8d2adf7b5b7eca28d1ff0a9dd9a5a7902a21e4907de6f2a8d8f4c66f4c9c15dd2a733a6fe7b210367e8a3ef0715fbe2