Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe
Resource
win10v2004-20241007-en
General
-
Target
f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe
-
Size
3.5MB
-
MD5
3f8ad4fd18d8604f9b0ddcec3792b0e0
-
SHA1
2d27ec1fd150d82b36199b2204d5333f4b905ace
-
SHA256
f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397b
-
SHA512
226d18f9941b8b1a32bc683f2418df159a2b33c88c83a89b4f9084852dab9ec042d50a2361e6bc3211edc3058c01df6d455f7c103051d077f9a6a4305ccc0efd
-
SSDEEP
49152:91oKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrL:joK3BDhtvS0Hpe4zbpaAKL
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 3680 sysx32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\W: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\RmClient.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesRemote.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe sysx32.exe File created C:\Windows\SysWOW64\sdiagnhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe sysx32.exe File created C:\Windows\SysWOW64\prevhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\certreq.exe sysx32.exe File created C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\EaseOfAccessDialog.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\fsquirt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\LaunchTM.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\perfhost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\timeout.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE sysx32.exe File created C:\Windows\SysWOW64\instnm.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\prevhost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\findstr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cttune.exe sysx32.exe File created C:\Windows\SysWOW64\hh.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Magnify.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\pcaui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ROUTE.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sfc.exe sysx32.exe File created C:\Windows\SysWOW64\stordiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\charmap.exe sysx32.exe File created C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\print.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe sysx32.exe File created C:\Windows\SysWOW64\DWWIN.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Fondue.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\iexpress.exe sysx32.exe File created C:\Windows\SysWOW64\tracerpt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\typeperf.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\verifiergui.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\explorer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\printui.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\tar.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wlanext.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sysx32.exe f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe File opened for modification C:\Windows\SysWOW64\comp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cttunesvr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Netplwiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe sysx32.exe File created C:\Windows\SysWOW64\logagent.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\regsvr32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\typeperf.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe sysx32.exe File created C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe.tmp sysx32.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\pingsender.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe sysx32.exe File created C:\Program Files (x86)\Windows Media Player\wmplayer.exe.tmp sysx32.exe File created C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe sysx32.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\r\msconfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\ResetEngine.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-client-components-onecore_31bf3856ad364e35_10.0.19041.964_none_dddeea757b7fbba7\ssh.exe sysx32.exe File created C:\Windows\WinSxS\wow64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_f0aa60ae9c531752\CasPol.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.19041.1_none_c991318e4b11e4cf\RMActivate_ssp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\r\ByteCodeGenerator.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..dialoghost.appxmain_31bf3856ad364e35_10.0.19041.423_none_edab5dd3a4c202d9\f\CredDialogHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_10.0.19041.1_none_a03b7086d9468b36\DeviceProperties.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_a4bfcaa32abfcf0e\raserver.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.19041.23_none_e0ffbfbf1dbf1502\RMActivate_isv.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-client-components-onecore_31bf3856ad364e35_10.0.19041.964_none_dddeea757b7fbba7\f\sftp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_regasm_b03f5f7f11d50a3a_4.0.15805.0_none_7219923700ae18c0\RegAsm.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-cttune_31bf3856ad364e35_10.0.19041.1_none_73ca4447924360c1\cttune.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_9d61200c734f61dd\LockApp.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\PrintBrmUi.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1_none_ab1cdb679f059ace\pcwrun.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_93adcfb5ace23a89\r\fixmapi.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\f\TpmTool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\x86_wpf-presentationhostexe_31bf3856ad364e35_10.0.19041.1_none_c9c6a551071df37e\PresentationHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-alg_31bf3856ad364e35_10.0.19041.1_none_5eda5fa3fa7c0fb7\alg.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\r\wdagtool.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.746_none_ed6c95dcd471837f\f\mmc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\r\DataExchangeHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\pnputil.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.746_none_7c508e4438cec899\f\phoneactivate.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1_none_5d1b02917c107c75\autoconv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_10.0.19041.1_none_f0b8ea270ffc4674\SystemPropertiesComputerName.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.1_none_5c015a65c60d8097\hnsdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_10.0.19041.1237_none_9ad73d125ac89655\bfsvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\WpcMon.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-makecab_31bf3856ad364e35_10.0.19041.207_none_d949ad80fc4d976e\makecab.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.1_none_1f65f7473443d565\cmmon32.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.264_none_13222f28beaa00a7\f\vmwp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c\r\appidtel.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.264_none_c1c396da5ea1410f\f\wbengine.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15805.0_none_0e9691ac6feedc0d\aspnet_wp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\UserAccountControlSettings.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.423_none_6c05a0526bbe14de\UserAccountControlSettings.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\r\ntprint.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.19041.1266_none_adfc223229a335a6\r\MusNotifyIcon.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-consumers_31bf3856ad364e35_10.0.19041.1_none_00c334ebf83ee740\scrcons.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\f\ApproveChildRequest.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1237_none_665f7346099d6350\r\bdechangepin.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\r\UpdateNotificationMgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.264_none_39eaf2470cfe88f0\r\explorer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_920963acedc8777d\fontdrvhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1202_none_ddf8c4144200f5b4\f\winresume.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dlna-mdeserver_31bf3856ad364e35_10.0.19041.1_none_8bf94097c23f5fb8\MDEServer.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\OOBENetworkConnectionFlow.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_91c1d6c40350b1b6\iissetup.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8171817405d01500\nslookup.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_0565d41cd46ec20a\msinfo32.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-s..csengine-nativehost_31bf3856ad364e35_10.0.19041.1_none_da6b9c85304fbda8\sdiagnhost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.207_none_c5e1b9def3522696\securekernel.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_512e9d368c70b758\r\iexplore.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\f\nvspinfo.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\FXSSVC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_b42ad8618bda36bd\TpmTool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-deployment_31bf3856ad364e35_10.0.19041.746_none_d9e841974c1d46e8\setupugc.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2052 wrote to memory of 3680 2052 f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe 84 PID 2052 wrote to memory of 3680 2052 f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe 84 PID 2052 wrote to memory of 3680 2052 f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe"C:\Users\Admin\AppData\Local\Temp\f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397bN.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD56a8f6ff032e8a58327f3498c016ab62e
SHA1be556ab7408eb71da5086a8a982201a996ca295f
SHA2561c6be03babdcf3db2c643b8cc658e06cf5933d2eb55d5f2ce394796b22b0e884
SHA5124f97893fd308e6fc3001c2e40ee1361655b524d2d2101ad52c61b7a13e212251f0a561f6ddb3300cfbd20994dba8ddce785d892dedd942286282386ab7fbff5c
-
Filesize
3.5MB
MD53f8ad4fd18d8604f9b0ddcec3792b0e0
SHA12d27ec1fd150d82b36199b2204d5333f4b905ace
SHA256f5b0ec79fc755b366122d05be574d80ad05a494601cce12e234f03da3a3c397b
SHA512226d18f9941b8b1a32bc683f2418df159a2b33c88c83a89b4f9084852dab9ec042d50a2361e6bc3211edc3058c01df6d455f7c103051d077f9a6a4305ccc0efd