Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe
Resource
win10v2004-20241007-en
General
-
Target
5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe
-
Size
820KB
-
MD5
58654426acd107a2e2a663137a116411
-
SHA1
34a2d0e1a83df42a3fc0a2e42c464360a6f6d6f9
-
SHA256
5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4
-
SHA512
f01b0d4d96517162720027f28ddb86d2784a4ea64fdf9b6e249d692b896a5202b933960f616dfbeb8e19af09e1e021f2480c858c350e6b7e642698d56aed9fe6
-
SSDEEP
24576:9jM7iPCPXNY2Y66vdZyXZz2LN1+yAgVNfffNflVNfffNfawdQcpKcd0jZd616ALQ:9wePCPXNYSI1+yAgVNfffNflVNfffNfw
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1844 sysx32.exe 4712 _5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\M: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\makecab.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\printui.exe sysx32.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dllhost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\EhStorAuthn.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\fontview.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\instnm.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\runas.exe sysx32.exe File created C:\Windows\SysWOW64\shutdown.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wowreg32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WSManHTTPConfig.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dpnsvr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\NETSTAT.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sdchange.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tasklist.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe sysx32.exe File created C:\Windows\SysWOW64\pcaui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\systray.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\PackagedCWALauncher.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ttdinject.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Dism\DismHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fsquirt.exe sysx32.exe File created C:\Windows\SysWOW64\ftp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ktmutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe sysx32.exe File created C:\Windows\SysWOW64\SystemPropertiesComputerName.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dpnsvr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\findstr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\svchost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\printui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\regini.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchFilterHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\odbcad32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TRACERT.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tttracer.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\makecab.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\sxstrace.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Com\comrepl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe sysx32.exe File created C:\Windows\SysWOW64\certreq.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\certutil.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\diskperf.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dplaysvr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\secinit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WWAHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dtdump.exe sysx32.exe File created C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\7zG.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Windows Mail\wab.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe sysx32.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.tmp sysx32.exe File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-c..onentpackagesupport_31bf3856ad364e35_10.0.19041.1_none_15ad78a57833209d\CompPkgSrv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-xcopy_31bf3856ad364e35_10.0.19041.1_none_18e6b82c93a9c5f6\xcopy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..rity-spp-validation_31bf3856ad364e35_10.0.19041.1_none_d0dbd55ec26928c1\GenValObj.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\cscript.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ystemassessmenttool_31bf3856ad364e35_10.0.19041.207_none_59ba79211607f58f\r\WinSAT.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoftwindowssystemrestore-tasks_31bf3856ad364e35_10.0.19041.84_none_2c3254d57443e050\r\SrTasks.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.1_none_76b501b13155d66b\WmsSvc.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\f\MicrosoftEdge.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.0.19041.1_none_f05894827b721e7d\ielowutil.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_10.0.19041.1_none_8525a0b08bf57bbb\Locator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\r\tpmvscmgrsvr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417\appidtel.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..line-user-interface_31bf3856ad364e35_10.0.19041.1_none_9d2d2a9ab0964bc3\cmdkey.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wusa_31bf3856ad364e35_10.0.19041.1151_none_2c2550df02273de3\wusa.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..rarydialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_abd26b7610cb738e\f\AddSuggestedFoldersToLibraryDialog.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-capturepicker.appxmain_31bf3856ad364e35_10.0.19041.423_none_12ca604b48f8d3fb\r\CapturePicker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1237_none_7578510aa0f564fa\f\vfpctrl.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f\r\sppsvc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.19041.1165_none_a82485b8f343811f\f\WaaSMedicAgent.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_324ea383dbfddeb9\f\mavinject.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\r\vmcompute.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_a40a1f93665b43eb\SndVol.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\MoUsoCoreWorker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\f\CustomShellHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\r\msinfo32.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.84_none_ffbdc333a0778274\hvsirpcd.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.19041.1237_none_9d556cf140e198b4\f\RecoveryDrive.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.19041.84_none_027c502c6e331223\SppExtComObj.Exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_10.0.19041.1_none_d0a876615f23523d\WmiPrvSE.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVDllSurrogate.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\f\hvsiproxyapp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\f\PerceptionSimulationService.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.1_none_5106d54a804dbfc3\rmttpmvscmgrsvr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\f\rstrui.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\r\WMIADAP.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\WpcUapApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\printui.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.746_none_c1db40c45e8f2d9e\wbengine.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.1_none_2eeab9eac7c3eb5c\FXSCOVER.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-findstr_31bf3856ad364e35_10.0.19041.1_none_dd2098e5f9122dff\findstr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.746_none_79bfc5cb57157e98\f\WindowsActionDialog.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\sdchange.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\r\rdpsign.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1266_none_aa0661cc14f9fe9a\vmwp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_16a30fa92fe5e343\srdelayed.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_10.0.19041.1237_none_9ad73d125ac89655\r\bfsvc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.746_none_69061189792bce34\cmd.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ldifde_31bf3856ad364e35_10.0.19041.1_none_d6d84e47a8300235\ldifde.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..cymanagerbrokerhost_31bf3856ad364e35_10.0.19041.746_none_5cc81a54cf095c95\EASPolicyManagerBrokerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..daryauthfactor-task_31bf3856ad364e35_10.0.19041.746_none_a9ff72b1a43fd663\DeviceCredentialDeployment.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.1_none_c55149b3997ff9cd\SystemUWPLauncher.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.1288_none_d616f4b76bd7b8a2\f\ApplyTrustOffline.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\winload.exe sysx32.exe File created C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_9627a04e40f9f001\r\SearchIndexer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_10.0.19041.1_none_ed965939376efbbf\MigRegDB.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\f\aspnetca.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\f\ReAgentc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVStreamingUX.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.1081_none_737d8b2eaaa38234\DWWIN.EXE sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1844 3000 5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe 84 PID 3000 wrote to memory of 1844 3000 5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe 84 PID 3000 wrote to memory of 1844 3000 5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe 84 PID 3000 wrote to memory of 4712 3000 5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe 85 PID 3000 wrote to memory of 4712 3000 5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe"C:\Users\Admin\AppData\Local\Temp\5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\_5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exeC:\Users\Admin\AppData\Local\Temp\_5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe2⤵
- Executes dropped EXE
PID:4712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
820KB
MD57880cb10cadb3d25b45bd8a93d875af4
SHA1db8381fe8f6851cc1234018f8d6dc56e835f866b
SHA256a7c3b7c1b5346bdc60fa4d07bf9991027ba7085faf6f9490434a95192c2a2e7b
SHA5121637fa301b5750f5a23682851e93bc486db3cdeee94c54c817305462213e1a136b15e4bdaaa862143bcd7acaf79ee13b62feb137dbebb10dfd2cbcc69923a4e1
-
C:\Users\Admin\AppData\Local\Temp\_5d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4.exe
Filesize791KB
MD5e855fba0cae05b80224a6aaaa6c88d8b
SHA18e2035f755f40778d2509bed527d3bacd8720076
SHA25622b58d1edb3261bb767f0c6c62b301b5b9ca3c55b478644e547823d865642d1f
SHA51209f5f4aef3eb21c852a5d1deb6e6473e11357a99bc8fa72ab5090cc49d969d57afb631dc89157b07cf1d128df1e3b98cf0cdb5b00e1d160d1c6ea05a7d04fefc
-
Filesize
820KB
MD558654426acd107a2e2a663137a116411
SHA134a2d0e1a83df42a3fc0a2e42c464360a6f6d6f9
SHA2565d258b00e61888cf343804593d0b0a75daf6ce672df1091a43ae9448c93e67b4
SHA512f01b0d4d96517162720027f28ddb86d2784a4ea64fdf9b6e249d692b896a5202b933960f616dfbeb8e19af09e1e021f2480c858c350e6b7e642698d56aed9fe6