Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 23:12
Static task
static1
Behavioral task
behavioral1
Sample
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
Resource
win10v2004-20241007-en
General
-
Target
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
-
Size
4.9MB
-
MD5
52e3c216b043490cdbb87e17218f4d47
-
SHA1
e21be588a01cb4022dafe84eb9c88305532b17ff
-
SHA256
64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
-
SHA512
d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526
-
SSDEEP
49152:9wQ/xFnOvtaWIDn0a2qnqYQVMkL+q/vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPAFz:OqaklJKvS0Hpe4zbpaAKQkroGIC
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 3596 sysx32.exe 4780 _64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\T: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\dpapimig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\TCPSVCS.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\TRACERT.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\at.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe sysx32.exe File created C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WWAHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ipconfig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe sysx32.exe File created C:\Windows\SysWOW64\ComputerDefaults.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\msdt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mshta.exe sysx32.exe File created C:\Windows\SysWOW64\RdpSaProxy.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ndadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe sysx32.exe File created C:\Windows\SysWOW64\sxstrace.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TRACERT.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\backgroundTaskHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\lodctr.exe sysx32.exe File created C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\logagent.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wowreg32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bootcfg.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Fondue.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\efsui.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\icacls.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\svchost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\makecab.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sdiagnhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\curl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\charmap.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\findstr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wscript.exe sysx32.exe File created C:\Windows\SysWOW64\BackgroundTransferHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\choice.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dllhst3g.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\bitsadmin.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Netplwiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\OposHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cliconfg.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\firefox.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe sysx32.exe File created C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp sysx32.exe File created C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE sysx32.exe File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE sysx32.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsicli.exe_20e14d4f sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_816403dd2374fa29\r\dfrgui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-makecab_31bf3856ad364e35_10.0.19041.207_none_d949ad80fc4d976e\makecab.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.84_none_40bd4149a6d52edb\f\AppVClient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.1_none_b0feb06b14107c04\wecutil.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_330dfb2b06b21af6\subst.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\tpmvscmgrsvr.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.1_none_544850fb795d0a4f\UpgradeResultsUI.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..onment-core-tcbboot_31bf3856ad364e35_10.0.19041.264_none_de5e254ba7caf399\f\tcblaunch.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_e4c1e71455c2721c\appidtel.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.1_none_cf7ec085c4b5345c\fltMC.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_42ec0e96ce977bdb\gpscript.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\hvsimgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.19041.1266_none_ba0845abb58c8bdd\BioIso.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_f89a6b0476f024dd\wabmig.exe sysx32.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-com-surrogate_31bf3856ad364e35_10.0.19041.1_none_0469a68bc74049ec\dllhst3g.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.1_none_2eeab9eac7c3eb5c\WFS.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\UevTemplateBaselineGenerator.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1_none_522bacd027283125\UwfServicingShell.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.207_none_ac38fc33d542b487\f\WorkFolders.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.1_none_6314a7411fa6f2ec\FXSUNATD.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\splwow64.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..egistration-cmdline_31bf3856ad364e35_10.0.19041.1202_none_b3f538f2c4a648b2\f\dsregcmd.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\TextInputHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.19041.746_none_e540b68b09558f5a\f\LockScreenContentServer.exe sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1288_none_5961108733e967c9_lsaiso.exe_51c00eb7.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\PinningConfirmationDialog.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.1_none_d910ec4e86b0552b\XBox.TCUI.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_netfx4-applaunch_exe_b03f5f7f11d50a3a_4.0.15805.0_none_a89f46f8bfac0a1e\AppLaunch.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe_nissrv.exe_f967cd63.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5\f\rasautou.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.546_none_f786fa028426f858\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.84_none_40bd4149a6d52edb\AppVClient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-containers-ccg_31bf3856ad364e35_10.0.19041.1_none_126d541494a0ae5b\CCG.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\r\ssh-add.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_e4e5027bf1e82209\WerFault.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_b5fe9c5c09b9d7a9\f\rundll32.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\cscript.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\AppVClient.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_119b1e415d838a28\autoconv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1_none_c76758d7f0069e2e\newdev.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_10.0.19041.1_none_ad39955b83a3f25f\SystemPropertiesAdvanced.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_86e0e6ce46c9ed74\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..roblemstepsrecorder_31bf3856ad364e35_10.0.19041.746_none_b8eadbf8a9c907b3\psr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\SecurityHealthService.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_c26c8624c595ae48\GameBarPresenceWriter.exe.tmp sysx32.exe File created C:\Windows\WinSxS\x86_microsoft-windows-d..-commandline-dsdiag_31bf3856ad364e35_10.0.19041.1_none_a6017688e5093466\dcdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_10.0.19041.1_none_59f3ce100425ffb0\SMConfigInstaller.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-restartmanager_31bf3856ad364e35_10.0.19041.1_none_3626754ec37c229b\RmClient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\wscript.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.1_none_e768b85cf7ad062e\TSWbPrxy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.1_none_39d7f735c58f975e\UserOOBEBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\AppVStreamingUX.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.19041.1202_none_d965e0f65a4ddcdf\r\BdeUISrv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\r\MusNotificationUx.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\CExecSvc.exe.tmp sysx32.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.19041.1266_none_b9c280a4d350d170\r\MDMAgent.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4388 wrote to memory of 3596 4388 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 83 PID 4388 wrote to memory of 3596 4388 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 83 PID 4388 wrote to memory of 3596 4388 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 83 PID 4388 wrote to memory of 4780 4388 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 84 PID 4388 wrote to memory of 4780 4388 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exeC:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe2⤵
- Executes dropped EXE
PID:4780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD554c66635d838b35b5f45241bc52db9ee
SHA1efeb0be3e710e74400985328f530474327d32940
SHA256c54b926a4a9f960016749b4b49a87a7e574a6b3d6cd5a9ca6b6ccc0c9f2dbb21
SHA51259aa26ef38351a4210fdac0dabcab24d23825e604057df9212d0ffa4c9e9fa1bb8a239453237abea8986eab29485d599e7d6cc9b883d2bd2b479109746ab6f35
-
C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
Filesize4.9MB
MD5b4f9829423e89017d71f0be914831ab3
SHA1ea4b8f722d4a177637f004317027f48789cc0c8a
SHA25623c59c9297ff0792f2da83712f322107ce8f6221b7772b18e6d847b25dfc5a89
SHA512d98c81a77d812a7055771d8be77eb34e52ac0e07cf4188058a5e323f11adfcd42926ec4f3fdacb35e33097640f7fc9d4eca1c6eb3c5951f620f573c6d14d8ebe
-
Filesize
4.9MB
MD552e3c216b043490cdbb87e17218f4d47
SHA1e21be588a01cb4022dafe84eb9c88305532b17ff
SHA25664c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
SHA512d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526