Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 00:26
Static task
static1
Behavioral task
behavioral1
Sample
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
Resource
win10v2004-20241007-en
General
-
Target
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
-
Size
3.5MB
-
MD5
9cf6a80022f22bcc2994fda5f6020620
-
SHA1
0f9af45d5db698b43881d4020371255502cca998
-
SHA256
8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3
-
SHA512
f9e0ce84dc9b910382d252fb2725d76f549fad7dfe64e4ea30c775d9c56417edee00b790c918f9a3ec0dc76c0091af93e051360b007a916b76adceee86252391
-
SSDEEP
49152:9RthomUdQ8h7D9S54+upeapeApIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzS:GDOLv/LK3BDhtvS0Hpe4zbpaAKL
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1076 sysx32.exe 3980 _8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TpmInit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\whoami.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe sysx32.exe File created C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\PING.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Taskmgr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ThumbnailExtractionHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\pcaui.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_isdel.exe sysx32.exe File created C:\Windows\SysWOW64\sdiagnhost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\findstr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\userinit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\verclsid.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\where.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\convert.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe sysx32.exe File created C:\Windows\SysWOW64\SearchFilterHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tar.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tcmsetup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\waitfor.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RunLegacyCPLElevated.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SndVol.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\user.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe sysx32.exe File created C:\Windows\SysWOW64\ComputerDefaults.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe sysx32.exe File created C:\Windows\SysWOW64\certreq.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\MuiUnattend.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ktmutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe sysx32.exe File created C:\Windows\SysWOW64\autochk.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RdpSaProxy.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\autoconv.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PING.EXE sysx32.exe File created C:\Windows\SysWOW64\sfc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wscadminui.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cacls.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\regsvr32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe sysx32.exe File created C:\Windows\SysWOW64\dxdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\findstr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Magnify.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Utilman.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\nfsclnt.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.1202_none_fdbbcf53ca14e151\f\wimserv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_msbuild_b03f5f7f11d50a3a_4.0.15805.0_none_dc3886319c616739\MSBuild.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_b2e64138c9682982\InputSwitchToastHandler.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\r\vmcompute.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.985_none_c3639a9e3ab1a351\r\WindowsSandboxClient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.1_none_6314a7411fa6f2ec\FXSUNATD.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_10.0.19041.1_none_37c2cec4b2ff6c9c\TpmInit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\ReAgentc.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-certutil_31bf3856ad364e35_10.0.19041.1_none_6b761570d2ba1947\certutil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.746_none_ed6c95dcd471837f\mmc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_3b03b28c788655c6\PrintDialog.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-notify_31bf3856ad364e35_10.0.19041.1_none_d2e378e1475d4847\fvenotify.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_installutil_b03f5f7f11d50a3a_4.0.15805.0_none_004b4e08cd94c339\InstallUtil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_30274b64fe158ec9\r\sxstrace.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe.tmp sysx32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\PinningConfirmationDialog.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.19041.1288_none_e25de9f9d964cdad\conhost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\ApplySettingsTemplateCatalog.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-extrac32_31bf3856ad364e35_10.0.19041.1_none_911aa822a342ea29\extrac32.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\r\WMIADAP.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_10.0.19041.1_none_41668bdd85c44640\InetMgr6.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.117_none_610933d42d963a44\wsl.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.19041.1_none_f0bba0af1c8d1f56\PinEnrollmentBroker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\UNPUXHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-browser-brokers_31bf3856ad364e35_11.0.19041.746_none_581ccf386ba57d51\browserexport.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\tpmvscmgrsvr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\r\UNPUXLauncher.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\SearchFilterHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\f\hcsdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\f\vmms.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-authentication-logonui_31bf3856ad364e35_10.0.19041.1_none_1b8420121296312d\LogonUI.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVShNotify.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-dlna-mdeserver_31bf3856ad364e35_10.0.19041.746_none_b4017de081b11e02\r\MDEServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\r\SpeechModelDownload.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.1266_none_ed4855448241f7e7\Magnify.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.1_none_20aa8037cb026fdb\netbtugc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\instnm.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.423_none_7777dd52093f9dd6\f\control.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\r\Dxpserver.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_b2e64138c9682982\InputSwitchToastHandler.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\DataStoreCacheDumpTool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_13c446a37d881982\where.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_multipoint-wmssessionagent_31bf3856ad364e35_10.0.19041.746_none_7f157730d01dcdae\f\WmsSessionAgent.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.1_none_c55149b3997ff9cd\SystemUWPLauncher.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_216932a6d29366ce\diskperf.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\f\mstsc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\f\ReAgentc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_10.0.19041.1151_none_21b291c4f7bdb6e0\f\nfsclnt.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.1_none_f830216e59eee182\OOBENetworkCaptivePortal.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_10.0.19041.1266_none_69f1a169b4d96a7c\f\pcwrun.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\f\Narrator.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671_winload.exe_75835076 sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_10.0.19041.1_none_613b273905366660\RMActivate.exe.tmp sysx32.exe File opened for modification C:\Windows\Boot\PCAT\memtest.exe sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\hvix64.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-clr_ilasm_exe_b03f5f7f11d50a3a_10.0.19041.1_none_7c4b8c980a524548\ilasm.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-commandlinehelp_31bf3856ad364e35_10.0.19041.1_none_9470ed79dcf5eade\help.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\wmpshare.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4784 wrote to memory of 1076 4784 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 84 PID 4784 wrote to memory of 1076 4784 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 84 PID 4784 wrote to memory of 1076 4784 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 84 PID 4784 wrote to memory of 3980 4784 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 85 PID 4784 wrote to memory of 3980 4784 8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe"C:\Users\Admin\AppData\Local\Temp\8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1076
-
-
C:\Users\Admin\AppData\Local\Temp\_8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exeC:\Users\Admin\AppData\Local\Temp\_8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe2⤵
- Executes dropped EXE
PID:3980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5c103276721c18b7d7af4c7fc04147331
SHA1c76ec6162e9e56b0004f925699a8ffadf81b49b4
SHA256ddbc2f91b2c63e5cfef63a465dff344ed4144db2585acca94cddd2623dc121fc
SHA512175f29b9dc0a79b5bde50a1c57f76000cfa4f8f44ca0a4a8107186c1b7d8445669f124a7b915473098d778f246e27177315850bcf18b277b0ed1943b946817ed
-
C:\Users\Admin\AppData\Local\Temp\_8dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3.exe
Filesize3.5MB
MD5fb5e34a2ea241d01c85eca0665a40e5e
SHA1afbe0ae677d65a01926ab51bb9934295d57588c0
SHA256149f53bc41ce766b0a74af98bbd54e07183d74ec032ff79a75cf78d6a4d8ef17
SHA512023d8551dd11ffc456d97e8af241927ebaf56dec2ad14e8617075e86da6f3ef622d53770bd3ce3d7b8547474ac291268ccd47d592355140ef7c24c267ea0d978
-
Filesize
3.5MB
MD59cf6a80022f22bcc2994fda5f6020620
SHA10f9af45d5db698b43881d4020371255502cca998
SHA2568dbbe9797469ff1c3cee8d3e4f2aa83564df925249a11f51466d30e4198681f3
SHA512f9e0ce84dc9b910382d252fb2725d76f549fad7dfe64e4ea30c775d9c56417edee00b790c918f9a3ec0dc76c0091af93e051360b007a916b76adceee86252391