Analysis
-
max time kernel
108s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 03:26
Static task
static1
Behavioral task
behavioral1
Sample
33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe
Resource
win10v2004-20241007-en
General
-
Target
33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe
-
Size
2.2MB
-
MD5
6d8de13999ca4008e8256d3a252c6250
-
SHA1
65440dc146439b0b7877f49f2f766dbdf564c4b1
-
SHA256
33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206
-
SHA512
816f6a429534dc7b4bc56e78be95008f8d1c28ccc237d424efb98adad8a3e7afe42694b4021df7a528412712e3fbb28a1136389f928efa75f1fbca1142133cac
-
SSDEEP
24576:9jnxGj4svqaShRsUiTfjo5ya8j8bCVcPM9W4OnkSCIpUlZXUbOpz:9sj4svqaShRibza82ecXpUlZX3pz
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 4076 sysx32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\V: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ROUTE.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\TokenBrokerCookies.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winver.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\attrib.exe sysx32.exe File created C:\Windows\SysWOW64\compact.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msdt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\charmap.exe sysx32.exe File created C:\Windows\SysWOW64\cttune.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Fondue.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PING.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\getmac.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Dism\DismHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ThumbnailExtractionHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe sysx32.exe File created C:\Windows\SysWOW64\dplaysvr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\iscsicpl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe sysx32.exe File created C:\Windows\SysWOW64\setup16.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ThumbnailExtractionHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\credwiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dllhost.exe sysx32.exe File created C:\Windows\SysWOW64\RdpSaUacHelper.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\userinit.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\eudcedit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ieUnatt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Taskmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fsquirt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ftp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\typeperf.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sfc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\unregmp2.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\convert.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\provlaunch.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\regini.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\bitsadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\srdelayed.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ComputerDefaults.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe sysx32.exe File created C:\Windows\SysWOW64\fontview.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\ktmutil.exe sysx32.exe File created C:\Windows\SysWOW64\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\TRACERT.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\reg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rundll32.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe sysx32.exe File created C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe sysx32.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\relog.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_86e0e6ce46c9ed74\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\XBox.TCUI.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-charmap_31bf3856ad364e35_10.0.19041.1_none_b29f753478196f5e\charmap.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.546_none_01dba454b887ba53\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-icm-ui_31bf3856ad364e35_10.0.19041.746_none_22a6ac8933ff6d5e\colorcpl.exe.tmp sysx32.exe File created C:\Windows\WinSxS\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_10.0.19041.1_none_bf6140efbe1a7808\csc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-getmac_31bf3856ad364e35_10.0.19041.1_none_c1efa43e415898e4\getmac.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1_none_595f2a7acaf53bba\WpcUapApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.264_none_02eb5d2ec5a9ec02\sdclt.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1\r\appidcertstorecheck.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\Microsoft.Uev.CscUnpinTool.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-icm-dccw_31bf3856ad364e35_10.0.19041.1_none_d0dfb9642de0d432\dccw.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\f\iisrstas.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\nltest.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.264_none_08acfd4a9926561a\wermgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.264_none_0f23d07ed2574292\r\DiagnosticsHub.StandardCollector.Service.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVNice.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.1_none_5106d54a804dbfc3\rmttpmvscmgrsvr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_583d67d6d00b6b6a\f\WerFault.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.0.19041.1_none_239932b75896a716\ieUnatt.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_216932a6d29366ce\typeperf.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.1_none_3d521dedd6c76700\hcsdiag.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..mnotificationbroker_31bf3856ad364e35_10.0.19041.1_none_7da5a59f860f2406\DmNotificationBroker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.1266_none_d375b5361b806b32\r\WpcTok.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.610_none_d94fa044111e8308\StartMenuExperienceHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.1_none_43a1294286598aee\IcsEntitlementHost.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1023_none_4478665ed379a3fc\r\AtBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.153_none_70cb6ca43c818606\cmimageworker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_3bcd0306a19592e2\Robocopy.exe.tmp sysx32.exe File opened for modification C:\Windows\regedit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\r\ClipUp.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_da52541188969d5e\mcbuilder.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\ndadmin.exe sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_11.0.19041.1_none_bbc1ad79155f896a\ExtExport.exe sysx32.exe File created C:\Windows\WinSxS\x86_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_680d56683fad152b\r\isoburn.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\ApplySettingsTemplateCatalog.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe sysx32.exe File created C:\Windows\WinSxS\amd64_windows-application..egistrationverifier_31bf3856ad364e35_10.0.19041.746_none_64e9b1de23df7cf4\AppHostRegistrationVerifier.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.1_none_4b527e92ee1ad1e5\cmd.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_datasvcutil_b77a5c561934e089_4.0.15805.0_none_5b1ada239e3b0505\DataSvcUtil.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_10.0.19041.1_none_ff72825025776920\msiexec.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\rasphone.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_e20a2c618eea3856\r\agentactivationruntimestarter.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.1_none_2e738f426c6e2839\Magnify.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-runlegacycplelevated_31bf3856ad364e35_10.0.19041.1_none_d151c6f3c90b1e0b\RunLegacyCPLElevated.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_c171e0be75e709de\r\dsdbutil.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.746_none_4028b8f4f6c0b829\wpr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.1288_none_1d22271c8cc35d4b\IESettingSync.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.117_none_1db60e061b48335a\f\bash.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\MoUsoCoreWorker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\r\ssh-add.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVDllSurrogate.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.789_none_e07abbe9902a4f60\f\Utilman.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.746_none_d1f5ce67827e350f\mtstocom.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.546_none_01dba454b887ba53\f\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.19041.662_none_0070027dab4e4ffe\f\UtcDecoderHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_aee92417063babbe\WinRTNetMUAHostServer.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\relog.exe.tmp sysx32.exe File created C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3336 wrote to memory of 4076 3336 33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe 86 PID 3336 wrote to memory of 4076 3336 33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe 86 PID 3336 wrote to memory of 4076 3336 33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe"C:\Users\Admin\AppData\Local\Temp\33f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5fd97e598d27823df9104e939fd0550c2
SHA1c2345fbe3a077b2701a54a581613a9c82885b493
SHA2560b6db05f074af3485e96a29dfbc3c0e428f4dc36455705cec29670b4b5bfd692
SHA5129adc5c291bb44b14c16a32c32226dce326b53b51ad83f8fe609e17c6829fe561f9116168b87c64a1a82c4deed24c95e4e3529f2cefac8f37b1099c08387525d5
-
Filesize
2.2MB
MD56d8de13999ca4008e8256d3a252c6250
SHA165440dc146439b0b7877f49f2f766dbdf564c4b1
SHA25633f04ab024e7fa6671160bb21df86b055cd530705f477fa46af1c2e5fbc30206
SHA512816f6a429534dc7b4bc56e78be95008f8d1c28ccc237d424efb98adad8a3e7afe42694b4021df7a528412712e3fbb28a1136389f928efa75f1fbca1142133cac