7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb

General

Target

7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe
Size

4.3MB
MD5

bf063d9fda89348906086c3b8ec1a6b4
SHA1

df24129fa947d9fb34901f629e04ffa17065f053
SHA256

7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb
SHA512

fa7c707b1ab15280e618b72245e18f974ef20f5de88cc4af25354401ee27dc0c06ba90b1d8f50b0a8ee6ea92967cca98d8dc831e9ae7643199bb9cafe8456fa3
SSDEEP

24576:9jGt+gkE2fh4Coswkx2KdcPCl9AuDF5zUPGLG5SvAMZAMg9:9aUgkEaSPkx2KiPy9AuDzY

Score

9^/10

discovery persistence ransomware

Malware Config

Signatures

Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

sysx32.exe_7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

pid process

4880 sysx32.exe
4916 _7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

pid	process
4880	sysx32.exe
4916	_7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe"	7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sysx32.exe

description	ioc	process
File opened (read-only)	\??\J:	sysx32.exe
File opened (read-only)	\??\N:	sysx32.exe
File opened (read-only)	\??\O:	sysx32.exe
File opened (read-only)	\??\U:	sysx32.exe
File opened (read-only)	\??\Y:	sysx32.exe
File opened (read-only)	\??\Z:	sysx32.exe
File opened (read-only)	\??\A:	sysx32.exe
File opened (read-only)	\??\T:	sysx32.exe
File opened (read-only)	\??\W:	sysx32.exe
File opened (read-only)	\??\X:	sysx32.exe
File opened (read-only)	\??\L:	sysx32.exe
File opened (read-only)	\??\Q:	sysx32.exe
File opened (read-only)	\??\S:	sysx32.exe
File opened (read-only)	\??\E:	sysx32.exe
File opened (read-only)	\??\H:	sysx32.exe
File opened (read-only)	\??\I:	sysx32.exe
File opened (read-only)	\??\K:	sysx32.exe
File opened (read-only)	\??\R:	sysx32.exe
File opened (read-only)	\??\V:	sysx32.exe
File opened (read-only)	\??\B:	sysx32.exe
File opened (read-only)	\??\G:	sysx32.exe
File opened (read-only)	\??\M:	sysx32.exe
File opened (read-only)	\??\P:	sysx32.exe

Drops file in System32 directory 64 IoCs

Processes:

sysx32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE	sysx32.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\curl.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\dvdplay.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe	sysx32.exe
File created	C:\Windows\SysWOW64\rasphone.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\cacls.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	sysx32.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\autochk.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\dtdump.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	sysx32.exe
File created	C:\Windows\SysWOW64\credwiz.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\logagent.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	sysx32.exe
File created	C:\Windows\SysWOW64\setx.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\pcaui.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\tasklist.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\raserver.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\rdrleakdiag.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\sfc.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\finger.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	sysx32.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\OpenWith.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\winrshost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	sysx32.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\WWAHost.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\ftp.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\sc.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\bthudtask.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\PING.EXE	sysx32.exe
File created	C:\Windows\SysWOW64\verclsid.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\iexpress.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\runas.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	sysx32.exe
File created	C:\Windows\SysWOW64\Magnify.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\winrshost.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wscadminui.exe	sysx32.exe

Drops file in Program Files directory 64 IoCs

Processes:

sysx32.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	sysx32.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	sysx32.exe
File created	C:\Program Files\Windows Mail\wab.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	sysx32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	sysx32.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	sysx32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	sysx32.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	sysx32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	sysx32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp	sysx32.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	sysx32.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	sysx32.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	sysx32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	sysx32.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	sysx32.exe

Drops file in Windows directory 64 IoCs

Processes:

sysx32.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\f\ImeBroker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.572_none_b322aa88d0148356\r\ReAgentc.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_multimedia-rrinstaller_31bf3856ad364e35_10.0.19041.746_none_f0e6f722ec2403d4\rrinstaller.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-xwizard-host-process_31bf3856ad364e35_10.0.19041.1_none_1939c8a90c4232f6\xwizard.exe.tmp	sysx32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1081_none_f52da7b1195e2d45\DiskSnapshot.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UNPUXLauncher.exe	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-bth-user_31bf3856ad364e35_10.0.19041.1_none_255ef7c1a8ec5bf0\bthudtask.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_b678ec2deb73b201\r\msra.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ice-daf-pospayments_31bf3856ad364e35_10.0.19041.1_none_0b83240c6bc26a13\pospaymentsworker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\ScreenClipping\ScreenClippingHost.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\f\SearchFilterHost.exe	sysx32.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_30274b64fe158ec9\r\sxstrace.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_1d907c422e447b14\r\dsdbutil.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_13c446a37d881982\where.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.84_none_51ae5c25baf813ff\r\SgrmBroker.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\CallingShellApp.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_10.0.19041.1202_none_cc46843e404eb749\r\BitLockerWizard.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\f\PasswordOnWakeSettingFlyout.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-capturepicker.appxmain_31bf3856ad364e35_10.0.19041.1_none_eaaf89ba8994910d\CapturePicker.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\ClipUp.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bioenrollment.appxmain_31bf3856ad364e35_10.0.19041.844_none_de5d9fe254d9f8c4\r\BioEnrollmentHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.19041.964_none_21209b01f08afd33\SystemResetPlatform.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_9fcce199936290f4\r\upnpcont.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\x86_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_10.0.19041.1_none_59f3ce100425ffb0\SMConfigInstaller.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deployment_31bf3856ad364e35_10.0.19041.746_none_d9e841974c1d46e8\f\setupugc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1266_none_b5fa73367bbd2f91\r\klist.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-commandlinehelp_31bf3856ad364e35_10.0.19041.1_none_9470ed79dcf5eade\help.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.1_none_45fd6972631ff67c\IMESEARCH.EXE	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_b678ec2deb73b201\r\sdchange.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.84_none_2d21e26a18d595c7\f\directxdatabaseupdater.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.19041.546_none_4eec2752c7ea16f8\r\backgroundTaskHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\f\CallingShellApp.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.1_none_6314a7411fa6f2ec\FXSSVC.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\f\nltest.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.746_none_c1db40c45e8f2d9e\r\wbengine.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-coredpussvr_31bf3856ad364e35_10.0.19041.1_none_513ebdc8ffa81e3d\coredpussvr.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-recover_31bf3856ad364e35_10.0.19041.1_none_3c045b5253f885ed\recover.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\f\SecurityHealthHost.exe	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1202_none_ca1e0a7a1f21274c\f\drvinst.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.1_none_4f5d06c149db5ae8\control.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..erience-parser-task_31bf3856ad364e35_10.0.19041.1_none_80036e190af52e7c\MbaeParserTask.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ioningsecureprocess_31bf3856ad364e35_10.0.19041.1_none_4cc7187cbf1ef970\psp.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.1_none_c5cb0c3a04b0a5de\rasautou.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sensordataservice_31bf3856ad364e35_10.0.19041.746_none_dbfd31e3890afb72\r\SensorDataService.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoftwindows-undockeddevkit.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a22e961d4bcae1e\UndockedDevKit.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.264_none_3f30ef10158954bf\r\ApplyTrustOffline.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671\r\winload.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_e867a49a6e97813d\r\LaunchWinApp.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_4d40b8e902f83dd6\r\gpscript.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_c77fb947e9eed73b\r\cscript.exe	sysx32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.1266_none_d375b5361b806b32\r\WpcTok.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\r\wsmprovhost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.964_none_510ebdd9292eed06\diskpart.exe	sysx32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exesysx32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysx32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

description	pid	process	target process
PID 2084 wrote to memory of 4880	2084	7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe	sysx32.exe
PID 2084 wrote to memory of 4880	2084	7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe	sysx32.exe
PID 2084 wrote to memory of 4880	2084	7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe	sysx32.exe
PID 2084 wrote to memory of 4916	2084	7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe	_7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe
PID 2084 wrote to memory of 4916	2084	7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe	_7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

C:\Users\Admin\AppData\Local\Temp\7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe
"C:\Users\Admin\AppData\Local\Temp\7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\sysx32.exe
C:\Windows\system32\sysx32.exe /scan
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4880

C:\Users\Admin\AppData\Local\Temp\_7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe
C:\Users\Admin\AppData\Local\Temp\_7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe
2⤵
- Executes dropped EXE
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
4.3MB

MD5
08a26f2411d591221f4d91719e38329e

SHA1
e3f4162827ed9930058a99a0c7b7d54a5dfc4052

SHA256
16b6583833eccef5457dc7679ce45941c91e75166ece8f0574bdb9378679e67c

SHA512
68af7a99ca3d4d881c694994df677176e3c3ecd131d4b931bb134815b9b482a8532774c523dbc13ea15bce89304decf2aa35fb1c336712175752ec43133dbbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb.exe

Filesize
4.3MB

MD5
4298bcad4a69e0be62f523e7ae11b423

SHA1
67d2a30b4d82b3ce2ff2dcf2e6c0a4e975f415c7

SHA256
36c961b8ad83d5f3e50718facdc48db2edf0f85d4542b330fe06459c11997772

SHA512
d2fba55f86c3487fb4523f1b3ba1776058bf835bd200a10512a4a773100733837997265e2cf7d67cca54935987049dbcc4896a7ca5467b76864295410873ca82

Download Submit
C:\Windows\SysWOW64\sysx32.exe

Filesize
4.3MB

MD5
bf063d9fda89348906086c3b8ec1a6b4

SHA1
df24129fa947d9fb34901f629e04ffa17065f053

SHA256
7231914868efe6205dd1e12e58a17bad0c482468fce47c18c3ff16e39dba2cfb

SHA512
fa7c707b1ab15280e618b72245e18f974ef20f5de88cc4af25354401ee27dc0c06ba90b1d8f50b0a8ee6ea92967cca98d8dc831e9ae7643199bb9cafe8456fa3

Download Submit
memory/2084-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2084-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-1572-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-708-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-771-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-2690-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-2691-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-2692-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4880-2693-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4916-11-0x0000027930190000-0x0000027930198000-memory.dmp

Filesize
32KB

Download
memory/4916-10-0x00007FFD0AF03000-0x00007FFD0AF05000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads