Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
Resource
win10v2004-20241007-en
General
-
Target
452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
-
Size
7.8MB
-
MD5
7b7d04d2c0bd8ac1f4923b0655baae6c
-
SHA1
e731959a1dde67ad20a3b86774d7592ed7241d49
-
SHA256
452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d
-
SHA512
a91eb78116db32e2cc23195545adc4976ee4b2f2e3361949a661396bb1a8b7b2f9060f3f29f43cd4256e8b763ab61a6f21781a8778bed9c8903c575435b13e39
-
SSDEEP
49152:9AMtSgRWpAIRrRLzZiNo7IcyO82MzufjWJA6ongaHLvKLA8VgbKW2llxobcJOu2r:jTOrRn+os45gaHrhdw3D7nTsReRR9e
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
pid Process 4240 sysx32.exe 3616 _452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 4912 sysx32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\X: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\finger.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\grpconv.exe sysx32.exe File created C:\Windows\SysWOW64\timeout.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dpnsvr.exe sysx32.exe File created C:\Windows\SysWOW64\getmac.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\LaunchWinApp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SecEdit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\comp.exe sysx32.exe File created C:\Windows\SysWOW64\dfrgui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe sysx32.exe File created C:\Windows\SysWOW64\hh.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RmClient.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wscadminui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\autochk.exe sysx32.exe File created C:\Windows\SysWOW64\dvdplay.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe sysx32.exe File created C:\Windows\SysWOW64\tracerpt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PING.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sort.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Utilman.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\certreq.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Magnify.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SettingSyncHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe sysx32.exe File created C:\Windows\SysWOW64\SearchFilterHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\attrib.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\clip.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\convert.exe sysx32.exe File created C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\verifiergui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WWAHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\shrpubw.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TpmTool.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe sysx32.exe File created C:\Windows\SysWOW64\xcopy.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cipher.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mspaint.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\netbtugc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\print.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ReAgentc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\psr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mavinject.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe sysx32.exe File created C:\Windows\SysWOW64\diskpart.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\doskey.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\forfiles.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpconfig.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe sysx32.exe File created C:\Program Files\Internet Explorer\iexplore.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\setup_wm.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp sysx32.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe sysx32.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\finger.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.19041.1266_none_adfc223229a335a6\MusNotifyIcon.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_f4a55c2c3386ed90\r\UserAccountBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.19041.1_none_28564b59eb268cda\certreq.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-omadmclient_31bf3856ad364e35_10.0.19041.1151_none_c86feb6936a97173\omadmclient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.746_none_61e0347e850155a8\r\UserOOBEBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\typeperf.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\r\XBox.TCUI.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.1_none_6b92f924ed7df79b\fixmapi.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_e304dcaa2490f61c\r\SystemUWPLauncher.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1202_none_ddf8c4144200f5b4\winresume.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.117_none_7879d5035b0edfac\r\nltest.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.1_none_22d9ddcd4b2b9d68\CameraSettingsUIHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_6e05a6bb2291b4c6\f\IMESEARCH.EXE.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1_none_8119ed75508e4ffe\wevtutil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\unregmp2.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_10.0.19041.1_none_bddbb800ab3565d0\rekeywiz.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\f\FXSUNATD.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.1_none_5c82be53abe61670\PnPUnattend.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.264_none_39a33f9dfdb389ae\slui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\f\wpr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.746_none_d99fd60bc1fde773\LockAppHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.1_none_bddafe5ea5731fa2\bridgeunattend.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.746_none_48b2bd808a742e25\f\netbtugc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_09fac50a5fe3aec5\Fondue.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.19041.1_none_4c44763647728882\RuntimeBroker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\f\UpdateNotificationMgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\convert.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1_none_64d9c601341de377\UsoClient.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.746_none_1c0a97992f105d4b\bootim.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\wdagtool.exe.tmp sysx32.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-l..nstaller-comhandler_31bf3856ad364e35_10.0.19041.1_none_d7372edf29e45655\LanguageComponentsInstallerComHandler.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.1_none_9556bb9420781f39\sdbinst.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_netfx-ngen_exe_b03f5f7f11d50a3a_10.0.19041.1_none_38a57ff5dba3c9f4\ngen.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-timezone-sync_31bf3856ad364e35_10.0.19041.1_none_4521fd67bfb25b6a\tzsync.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\CertEnrollCtrl.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_vmconnect_31bf3856ad364e35_10.0.19041.1_none_462739ece97bd4ed\vmconnect.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\DataExchangeHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_556ba5d1df8130ac\f\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1_none_b6a6a2ae8b1ec7b0\vfpctrl.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315\lpkinstall.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-coredpussvr_31bf3856ad364e35_10.0.19041.746_none_7946fb11bf19dc87\r\coredpussvr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\f\FileExplorer.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\ApproveChildRequest.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_10.0.19041.1_none_f0b8ea270ffc4674\SystemPropertiesComputerName.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_2e15548db03a22c8\CheckNetIsolation.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\f\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\f\SecureAssessmentBrowser.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_6f2ce5f0857cd61a\SecEdit.exe.tmp sysx32.exe File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmui.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_6f27e9e1e7c4fb87\f\net1.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-office-csp_31bf3856ad364e35_10.0.19041.844_none_9b62a70f9278f2cd\ofdeploy.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_23c0aa3b7bd960cd\f\CheckNetIsolation.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4768 wrote to memory of 4240 4768 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 84 PID 4768 wrote to memory of 4240 4768 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 84 PID 4768 wrote to memory of 4240 4768 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 84 PID 4768 wrote to memory of 3616 4768 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 85 PID 4768 wrote to memory of 3616 4768 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 85 PID 4768 wrote to memory of 3616 4768 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 85 PID 3616 wrote to memory of 4912 3616 _452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 86 PID 3616 wrote to memory of 4912 3616 _452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 86 PID 3616 wrote to memory of 4912 3616 _452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe"C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4240
-
-
C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exeC:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:4912
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.8MB
MD51283656c9ad7f7fc5e05c54687949bcd
SHA1ce250f06c74b29e7eb8863204288d03afd7e129c
SHA256cc632a348ba6e5ea417dcbee2f752909d15877439db4330667e4c1865f4fd26b
SHA512e3c63f2f0d806bc9eb61bd5b24c26aee43a686e6145620a74fa963d39531933bad405e2d3f55f6df13c14992c75c0522e7a3ed859b554ee2954c4a7d9093a0e6
-
Filesize
7.8MB
MD5d9ce6a5ab06f1017638883e55d1b6bc9
SHA14d087f964e28f09739745e2b88a0992ea2174a31
SHA25618d401cb0b57f3cc95f8081fe4addc72c0be65772d6fc83aaf3352dd4d242ce7
SHA512af56eb8bec5dda8b33351dca35c2d39e6b55a9505a2e28abfdac983d9ccf235cf742e1f3b800ea4736495ffdebccce053db13bd5ac56644b4b69359dd307731a
-
Filesize
7.8MB
MD5002f3720fd3fdc9768ac4f8334df45bc
SHA1e9598cd68ba66b6fb8d5bc8e2afc19f068dd50bd
SHA25618a2a2a26acdc22567877093ed57b83b298dacca509c812870217051d98fad20
SHA5125e6e88b820b441bb4c380bd290b140c9c3f999b8a1fe85ba651981dce4f7d579d538ffd97643336dc0da86633f5d99703f5d44540ba2cac5e8b303818ea8c0fb
-
Filesize
7.8MB
MD5e85bf8e93a36929d8b11f7a9236fe19a
SHA1b5ad2f1ad06a7f7beb0300e46b81a6270688ed25
SHA2562868893b6dc27dabab363789c43d4606a2cd15af4f93541ae1d6c6990e5313b9
SHA5123f39db32b39daa7e723ead3da796bf5495417fc9d016449242af43bfa046af31a7f6480b5d7e26e0f7211580cb4bc887cf59421ff8a1e21f829e2b3ceb90004a
-
Filesize
7.8MB
MD588c9e1b124a28b07a9dcc8ee526bbd89
SHA12df0c44c2a9f06a06d44a9e4ea4e017d8c691397
SHA256082b927f2ec41947d5471ea85bddced2d97b6544f72730aedc9fc7fbb0c75842
SHA5123e5e5b7605945a58b81b0cf1d826c089c9e4574da2f200897564b902823991e603734796c355cdd99ab9353dbcd8f40bb170377fe5cc12da45230823e99cb9e3
-
Filesize
7.8MB
MD5c26c71382375c4bfee7a07b97342bcb0
SHA1af12b23ba804bc49d9cd43cf007f1b96dc1af571
SHA256c467b776e19a35e8b271fb025c510d585c51c30d0fd8ff5f869d586a61fe32b5
SHA512a516f6307692b63045bf7d853e87035f53bb32074fd4b921680eea0355550d36a2198e76df6fccfdca33a31fd91bbf6158a2e5ff6a16ebb0b6b826f491080440
-
Filesize
7.8MB
MD552e54e9108ea720fcd87b0e7b6157590
SHA10dbb5586d0237aba89f4818cecbf174a0878a6b7
SHA25639f118fa992083aaa4c4a8d1274a332745853826074af7ff3376174b110ffe32
SHA512f93aa7f545b2cf58f31be1a207f3437645d8ae1d81a2537456c9d30edc58fd08b06d8e6b7e1c777336568c81d44077471549cf7e56a64e4b5846227da20e75f6
-
Filesize
7.8MB
MD5b49efa65c097ca7a6bfd2c8cd36d6ac5
SHA10ae93b44d008aa4917d570b22110e7cef3eb05a0
SHA256e7b66279e52d96e9536f4d25af590b7310bfcc05d97f9ea4b9c80dcbe9f58e94
SHA5124f6f702a72a60869d6ba98d848c9168e9c2d2c1aea570fca2f69b7f2e9a31da4ee868a07898c0000935c2b26baef748b936cb636c78d5ad616426f19cab17cf3
-
Filesize
23.5MB
MD54a164f1c54e83dcbd2ea887be2606a05
SHA12b0b0e905bbb47d7f99b48bc9e15c4e116c834ad
SHA2563e9075c12acb9a870212f62eb39b49f4bcd157353f6579e40afc27f54c0097d4
SHA512add263526835637de6315b3664ceddb74c5087e4f50094933d8aa87fd0defae1df1cb7772b6444f97e82c284973220fa72d0e7f2ae4a377d60076449fc9c1d1f
-
Filesize
10.6MB
MD5339fd0b215eee9d3c92dd1b84f848d18
SHA1a7bcfe63ada3d39e81953d87ebb3834a80ead18a
SHA256c6441f9ffde183f759de7bbb7b7470ea9eaac1843ddf57953eb2151dd209d732
SHA512cfe505a8044c0394af9b95edae7f1a851b1970eca5da596ae8f702aab937a5f21e5c8a00cb6be2d81259aea1641094c4c76867b0f651b4a6d69119e29470c5b3
-
Filesize
7.8MB
MD5136c62dd6d02fe0dedbbadac010c9474
SHA10e36e9132092aabbc12b5252124172ed2d8b2362
SHA2568855a7ab53caf0660cc7ae2cb99a196946a743575145529d6b98410cba9e4ad3
SHA512d8d662cf6f498c7c495b7d3d7e81916fe959bc57247539942845da2c881ed4a4725241779ca0b91b0e58a5482e2a3c61e40eb5c9bb48c8c9d434b6a8250a9799
-
Filesize
7.8MB
MD50a8b559bcee551b10a22311f4bf4c599
SHA169f986cb2a99ecbaabc3d28d78a2e4c40b681dc3
SHA2563d9bfb081e97e3fb62539835e7b3082dac4d706f0bb727586b950194b013cde7
SHA512b34d86f8ccd83aa13a543997b38395817bbadb3c1acb91755f8681af59022d2ee6b4da32f984a2ba2426ce1c4e19851c15ab915b44f830c9f30644ed92ce70c3
-
Filesize
7.8MB
MD5ad7201af23f40feb4b13a9d957297388
SHA1845bbfe77922864211d39827ca2532bd78a6b179
SHA256eee0805240ac4d2a8e0d380fa9602c5bb0372e356d9e4900269b5dcd439b05a6
SHA512c351b161f31aae00462a78156a9ead1e2d639ee4f3116fbdae4cb36c97b9eba8b48423485504b91827369d96a6ec879b68f048d2dfee8f00b7b309ddf109182d
-
Filesize
7.8MB
MD53f66287db1ecb997f6ae6eb00e3799d1
SHA12090b1a2c00ba97fcf8647a17c5a93e80ba576ed
SHA25681c3ad7ea8ff1d421d0c712d6c39f926742c7baa8e9baf1b0a6360eced2b6445
SHA512d4e56715600a2f368c2d651ecc4c50ac23fc598955d8cbb2e48fae2f59bc302d5a524e367b55306662340fc33c611166b9e0095d246be076d3b2b2580bdf713d
-
Filesize
7.8MB
MD54178bfecf05579e133a820f0871b30a6
SHA1823f7a71bf90f46235d66c0cd9a18bdf886bc7a5
SHA256c8a578de8e36061b67935cbdade6dbf7cc45bd87ec619396e982d47cb9f8f3fa
SHA5127a0067128ecb6fab0ee89bfee92f6ce86e02e29d8ef6e12d7a8cd6b822b83952dcc1f15386b8e8a4bb4626e2048fc4d315fd467ea3923a21e3c38b71996bb864
-
Filesize
7.8MB
MD5d333f2a914b23c2a6eed27a695f51482
SHA11c38ff2009f4946b226a0fe4aa4b0a0d4c2ea700
SHA256e78d4aeefbc8b8edac6bdb1bd282592400f3c6bd50403f375f68040daa85ba91
SHA51281e530b1902b9908f3e55e2dfdd895172911cc152220adb157434b180a27a3dbe516df89ab7b70923ccacfbe22ec2784b5bb843f92b14d0b7fd819d9252bb735
-
Filesize
7.8MB
MD549eb90d38e5382385cb897a3c341bd0c
SHA1cc005739ab56431c2d77cbbccbc0b0391fa4b086
SHA25677c4d80a885721f0a4ab4e4edf6368ef5d3b5345b3100f4fd5ffa4180a92fd3f
SHA5127b5305219bcab3dbbe771b7d64a21e5185539e810adb74d0273bb8921df4e861e3e27e014120ee4230cdc0a0a7a7962e04957a8ff0014fc03d7cdb1353699229
-
Filesize
7.8MB
MD5e47e48aa717f984ca22491abca524e73
SHA18da3d3684cb01a8d8f41424bc0abfd7fffb29f60
SHA256bad8f7f83ee3c963974f5cee9c373cb7392b8e25a234192c37e9d8c4598ba787
SHA512123a11d0d7deb26656f2cd3606e6ee3a4538c80071126159d9b417d8622f7b7b244e0df0c8b92f35b9265f6c4a359b352f8a2299c756f03c7ebce81bb3745fe5
-
Filesize
7.8MB
MD57066cbca007ea260a7300e31d770bff2
SHA16be68d3c1c6471cf68c5e4d553d03e0311bd21f9
SHA256af3eb2cb513724dc653c0ecfce77bf9813e9f958becc06f0343e9b924c3a86f6
SHA5125312917a6a090430328b6bc6ee0c6f0d39bf523377d1b65a44c26521158d09b42166ffd6018172849ed4918dcf0fabfce7c593d1eddcbdeefcc90c32e40d2cc2
-
Filesize
7.8MB
MD5f6851e0958f937a72dbcfb5ccfbbe7af
SHA1c548c2af452a0cb36054843ecb8d1db1d72a6b8c
SHA256a76d554f30e83da33b2db3d5bea3af449e5633a7c23cbc7b2fe2704e38ecde2f
SHA512e73d33e2759715541fd873b894f0ee96231a5fc684234c2a9bf42dd5a483e3acfaa2e71cc773de580882d214bcc286e61fbbbb219d8eb45f1434b659db9e092d
-
Filesize
7.8MB
MD56f236fca580f38e3be2e62bcc372ccbe
SHA138c3d7f236ba8d2ce8d5c57e1d75db454418ddb1
SHA2563d82998d744c868463c8778f16a71698bfe68b4626bebdde26507942851d9543
SHA5120585fdf31e6f99f1914538fab6d79becf9b90d629348b550497aaaf1a219928953eaafb584d0f338ae87c640052a0177b55067c0baa641d89b349e8406cf142d
-
Filesize
7.8MB
MD56bf929213a7c5e0593c2eea66f529039
SHA1e4baa6e57ec12d29ed4c8abe86f6f5fbe2575f5f
SHA256cba0d5811503a62d1e6e80559aae2961d77d360b9251863818b6ef0993274ac4
SHA51247b7ac26a514a477ba1f4d7b7fd4a7bee4ed58741b870c55c655381b953fa71c4507e73c2f267ae296364eb7834fcfc8662f982d1162d1bcd97f33cc4875a2b3
-
C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
Filesize7.8MB
MD57c710979c9aa73050d5aceee902d52ba
SHA14b194e0bddede5b3f8f5f2c15c4f3964b61d8189
SHA2564619008405e01c106be3f8f145bd21cf449401b901ee1ba01d1541af45f675ab
SHA5120e8657ad437e9042119829da3bd3e1cf604ddba10619847700f3cd5cde91637280a356a0c559b047a7a38e2984fb7aafb7cb794d56760c01ca0ebb73f9cac36a
-
Filesize
7.8MB
MD57b7d04d2c0bd8ac1f4923b0655baae6c
SHA1e731959a1dde67ad20a3b86774d7592ed7241d49
SHA256452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d
SHA512a91eb78116db32e2cc23195545adc4976ee4b2f2e3361949a661396bb1a8b7b2f9060f3f29f43cd4256e8b763ab61a6f21781a8778bed9c8903c575435b13e39