Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe
Resource
win10v2004-20241007-en
General
-
Target
635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe
-
Size
4.9MB
-
MD5
943fb6fb430fbac169b4ce55189206ad
-
SHA1
c7050a4a1102c4abe5453e0b7c3080e2875fab28
-
SHA256
635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221
-
SHA512
bc45a6758dcc470678cf6a3ff3cd989d473866fb991e85309c995b7b79b75ec6ac8333673f3b5a3aad820c3119337eef34f9569a6204c7c8cb558c9c7b05a61a
-
SSDEEP
49152:9g/xFnOvtaWIDn0a2qnqYQVMkL+q/vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPAFIA:IaklJKvS0Hpe4zbpaAKQkroGIC
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4852 sysx32.exe 64 _635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\R: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\RpcPing.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\regini.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\compact.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\calc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\where.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\EaseOfAccessDialog.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\efsui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\netiougc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SyncHost.exe sysx32.exe File created C:\Windows\SysWOW64\wiaacmgr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\bootcfg.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mmc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sfc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\notepad.exe sysx32.exe File created C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dialer.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\find.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\findstr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\msfeedssync.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ftp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iscsicpl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Register-CimProvider.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\autoconv.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe sysx32.exe File created C:\Windows\SysWOW64\PING.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PING.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dpapimig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\gpupdate.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\secinit.exe sysx32.exe File created C:\Windows\SysWOW64\WerFaultSecure.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\net1.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Register-CimProvider.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\write.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\LaunchTM.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\setx.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dtdump.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\fontview.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\userinit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\verifiergui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\finger.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\GamePanel.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bootcfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\timeout.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File created C:\Program Files\Windows Mail\wabmig.exe.tmp sysx32.exe File created C:\Program Files\Windows Photo Viewer\ImagingDevices.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe sysx32.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.746_none_9ebd3ef9f0c794b5\r\WmsSvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_1d907c422e447b14\f\dsdbutil.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dpiscaling_31bf3856ad364e35_10.0.19041.1_none_3038e0b9fa4d9cdf\DpiScaling.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdge.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\SyncHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_db6f0c88fb6e127a\taskkill.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-s..chservice-component_31bf3856ad364e35_10.0.19041.1266_none_2262e67641106c48\SpeechRuntime.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\CallingShellApp.exe sysx32.exe File created C:\Windows\WinSxS\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_10.0.19041.1_none_3f67a7384812df13\ComSvcConfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.19041.1_none_313898283cd914f7\backgroundTaskHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-certutil_31bf3856ad364e35_10.0.19041.1_none_75cabfc3071adb42\certutil.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1202_none_ca1e0a7a1f21274c\drvinst.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\r\winresume.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslhost_31bf3856ad364e35_10.0.19041.117_none_9be21f0ef860b570\f\wslhost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\f\SecHealthUI.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\r\Spectrum.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-legacyhwui_31bf3856ad364e35_10.0.19041.1_none_a2b9da391bff31c4\hdwwiz.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\f\wiaacmgr.exe sysx32.exe File created C:\Windows\WinSxS\x86_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_10.0.19041.1_none_a6a8b89bc50eae31\cvtres.exe.tmp sysx32.exe File created C:\Windows\WinSxS\x86_regsvcs_b03f5f7f11d50a3a_4.0.15805.0_none_8ce1f3b4679d3a76\RegSvcs.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\f\wsmprovhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-computerdefaults_31bf3856ad364e35_10.0.19041.1_none_c6bc59819707b32b\ComputerDefaults.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\XBox.TCUI.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_646d7347043be71c\aspnet_regbrowsers.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.746_none_c291aefd01a5d6d6\EoAExperiences.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appresolverux.appxmain_31bf3856ad364e35_10.0.19041.1_none_b719750f25d4cc37\AppResolverUX.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..onentpackagesupport_31bf3856ad364e35_10.0.19041.1_none_15ad78a57833209d\CompPkgSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-iechooser_31bf3856ad364e35_11.0.19041.746_none_122a74c9827fe81a\f\IEChooser.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_10.0.19041.1_none_98fad53f878bc04c\mqsvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_bf506ecc66a800df\TiWorker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.153_none_51feabe070ab84f6\f\MusNotificationUx.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\UevTemplateConfigItemGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-driverquery_31bf3856ad364e35_10.0.19041.1_none_4c13d8f934672657\driverquery.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.153_none_3c9b504ec5293ad0\r\WpcTok.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\r\fontdrvhost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\f\svchost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_2a38e2996ee84e57\TapiUnattend.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.19041.844_none_c5675ea732c2eaa0\LockApp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\r\PinningConfirmationDialog.exe sysx32.exe File created C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.117_none_975feef459c69d6b\CheckNetIsolation.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.264_none_6b6699b671c8f5a8\f\VmComputeAgent.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.84_none_2d21e26a18d595c7\r\directxdatabaseupdater.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.0.19041.1_none_d27e617a9bd9c1d3\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_d7b5820f5a89765b\f\agentactivationruntimestarter.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\PerceptionSimulationService.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.84_none_dd81fb99bc3b1e53\NgcIso.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.19041.1081_none_8f1e438c6737a711\r\wscadminui.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.19041.572_none_90e9bab3cbbfd71a\r\djoin.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_10.0.19041.1237_none_9ad73d125ac89655\r\bfsvc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_9fd3a313935e2396\upnpcont.exe.tmp sysx32.exe File created C:\Windows\WinSxS\x86_microsoft-windows-ie-iechooser_31bf3856ad364e35_11.0.19041.1_none_7e3d02e24c15fe88\IEChooser.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..perience-ait-static_31bf3856ad364e35_10.0.19041.1202_none_a5a4c3f2637b55fa\f\aitstatic.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\r\iisrstas.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\DataUsageLiveTileTask.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\ARP.EXE sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\r\ThumbnailExtractionHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_b5fe9c5c09b9d7a9\f\rundll32.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3280 wrote to memory of 4852 3280 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe 84 PID 3280 wrote to memory of 4852 3280 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe 84 PID 3280 wrote to memory of 4852 3280 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe 84 PID 3280 wrote to memory of 64 3280 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe 85 PID 3280 wrote to memory of 64 3280 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe 85 PID 3280 wrote to memory of 64 3280 635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe"C:\Users\Admin\AppData\Local\Temp\635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\_635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exeC:\Users\Admin\AppData\Local\Temp\_635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe2⤵
- Executes dropped EXE
PID:64
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5faf1118ab8493df7829c59f7ef8ba26a
SHA1be7437a5650ff6628aa4aaa872afd8499db3c652
SHA2565c3b146c18b16b4a8db02453e04b455be394681cf9870e97e2fa253482c7cf2e
SHA512e124b0f46101882a40b475280d2e0152c6b861a43d0b8377e4adc15c96e73ee04b4a09faf3f23087c0d11c653441e6d42022c0c2a92f75a26389233f4185516e
-
C:\Users\Admin\AppData\Local\Temp\_635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221.exe
Filesize4.9MB
MD5757b6abbbee579077b100778e2e3032c
SHA190ab4e4560b35479460becfd77be01cc5412bf06
SHA2569956fe3448870d4f9735fcd20905cc199449b674999497e0fe21615e88b63707
SHA512cdff71639d6097eee9f8d243a1e5db967f32ba67f7de47f09d2906e23f9caa60d7f9a122447b75e307e44793b8d066bc70e4de5545bd84d134e2702ae00a46f6
-
Filesize
4.9MB
MD5943fb6fb430fbac169b4ce55189206ad
SHA1c7050a4a1102c4abe5453e0b7c3080e2875fab28
SHA256635034820d0830ff4950f274a062e5be5c7c113bc8b05b09d5d84396fa7ca221
SHA512bc45a6758dcc470678cf6a3ff3cd989d473866fb991e85309c995b7b79b75ec6ac8333673f3b5a3aad820c3119337eef34f9569a6204c7c8cb558c9c7b05a61a