Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe
Resource
win10v2004-20241007-en
General
-
Target
5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe
-
Size
3.5MB
-
MD5
85c8afc09052a2fef24837d714678b60
-
SHA1
a8f08db718a77cb2cd18a1ce417b8a146b3c046e
-
SHA256
5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773
-
SHA512
5310d39be2fb51bf4e27d23e4d9658367052ad64b1072aacac3338837f2e6c4f8a736238e443c29e9f264ee39041f2e1b5c1de78d2405cd254d11c6e7d38eada
-
SSDEEP
49152:95d4Opr7wspHYHpLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrL:n6sp2LK3BDhtvS0Hpe4zbpaAKL
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 3024 sysx32.exe 3660 _5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\R: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\dvdplay.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\where.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PING.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\rasphone.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Utilman.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\appidtel.exe sysx32.exe File created C:\Windows\SysWOW64\LaunchWinApp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe sysx32.exe File created C:\Windows\SysWOW64\regedit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\subst.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\takeown.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\AtBroker.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\label.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\raserver.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\eventvwr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msra.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\notepad.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wevtutil.exe sysx32.exe File created C:\Windows\SysWOW64\certutil.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cmdl32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\secinit.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\tar.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WSManHTTPConfig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\compact.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dllhost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\edpnotify.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\MRINFO.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\comp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\cmdkey.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\credwiz.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\sethc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\setup16.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wscadminui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\OneDriveSetup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\taskkill.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\eventvwr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\label.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mavinject.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\resmon.exe sysx32.exe File created C:\Windows\SysWOW64\wbem\mofcomp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\gpupdate.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp sysx32.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe sysx32.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..n-tools-command-ldp_31bf3856ad364e35_10.0.19041.1_none_05325e2f9f9e6b0a\ldp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\Dxpserver.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.423_none_c3eac275ecdf7e0a\r\NgcIso.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\hvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1_none_f725ad3465e95fe3\klist.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..ices-appcompattools_31bf3856ad364e35_10.0.19041.1_none_a9109d150b1bf064\aciniupd.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_wcf-smsvchost_b03f5f7f11d50a3a_10.0.19041.1_none_b4528a0bdf7b6cee\SMSvcHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_b678ec2deb73b201\f\msra.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..tegrity-diagnostics_31bf3856ad364e35_10.0.19041.1_none_224ac1aa56b7c6c2\CIDiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.746_none_69061189792bce34\r\cmd.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\MBR2GPT.EXE sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\r\SenseIR.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-xcopy_31bf3856ad364e35_10.0.19041.1_none_233b627ec80a87f1\xcopy.exe sysx32.exe File created C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\WpcUapApp.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-l..nstaller-comhandler_31bf3856ad364e35_10.0.19041.746_none_ff3f6c27e956149f\f\LanguageComponentsInstallerComHandler.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_5163f0069562aff6\f\powershell.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\r\setup16.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\AppVStreamingUX.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.746_none_79bfc5cb57157e98\f\WindowsActionDialog.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\ResetEngine.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe sysx32.exe File created C:\Windows\WinSxS\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_10.0.19041.1_none_2d88affdefab54a8\ServiceModelReg.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.746_none_556ec3cb05e3ec5a\OpenWith.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\r\SettingSyncHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\r\iisrstas.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lua_31bf3856ad364e35_10.0.19041.746_none_8443a7febb9ab03d\f\consent.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\r\OOBENetworkConnectionFlow.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48\lsass.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-office-csp_31bf3856ad364e35_10.0.19041.844_none_9b62a70f9278f2cd\r\ofdeploy.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\f\vmcompute.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\r\Taskmgr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-warp-jitexecutable_31bf3856ad364e35_10.0.19041.1_none_83ab1c56c187ef65\Windows.WARP.JITService.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\iisreset.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_8a7b0186743e499b\f\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tieringengine_31bf3856ad364e35_10.0.19041.746_none_8d7110d8c33b651f\r\TieringEngineService.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..cquisition-wiawow64_31bf3856ad364e35_10.0.19041.1_none_827105fe900187d1\wiawow64.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_805682e34c6552d0\wsmprovhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.1_none_b19798c3028c2929\LockAppHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\WFS.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_10.0.19041.1_none_b6b7b206d4b9d895\comp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1_none_a78dc4e9f3c6c606\bdechangepin.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..pdate-oob-component_31bf3856ad364e35_10.0.19041.84_none_e539abe3d27f675f\f\rdvgm.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.19041.153_none_212a5b73f083deb3\SystemResetPlatform.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671\f\winload.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.546_none_12e3d70535675c5f\f\dllhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\f\fontdrvhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_10.0.19041.906_none_65f82ba919c64b11\InetMgr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.19041.1266_none_2a87945d79cbf905\f\FsIso.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\r\rasautou.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\r\autoconv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\f\ApplySettingsTemplateCatalog.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\r\bcdboot.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_10.0.19041.1_none_ee822d264112a470\powershell_ise.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 412 wrote to memory of 3024 412 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe 84 PID 412 wrote to memory of 3024 412 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe 84 PID 412 wrote to memory of 3024 412 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe 84 PID 412 wrote to memory of 3660 412 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe 85 PID 412 wrote to memory of 3660 412 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe 85 PID 412 wrote to memory of 3660 412 5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe"C:\Users\Admin\AppData\Local\Temp\5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\_5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exeC:\Users\Admin\AppData\Local\Temp\_5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5372a27441a756e6536aa6d27d35b8ed0
SHA1e158035617302c09bf659906c3f3cfb85eb68bab
SHA256b9fdc437ba6b03e27fe1603a0e580566eb0547e3cf140258a523bf505e9cc143
SHA512286ee6e207ee1f22d90041c9b98b79fbe2911dbfc15f3fa716fb6f851bd51e74b2daf6e2ebfe2b23945ad87ab47503f9114112c64ce5d35a3dd42cc65cf7eac1
-
C:\Users\Admin\AppData\Local\Temp\_5c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773.exe
Filesize3.5MB
MD55d40d7aceab933668d2da3bd20cac1e4
SHA194b7d4f05caee8130d40bd8a65fcd3095a26cbd3
SHA256af75b2c2b654c02871a6ff88205701a3a81acecdc0faae58ee5ed8400b04c1f4
SHA5120eb2618005996a3076a0b0ce16c8c133431a10270c2e6e9c7994742bca0e36532f46b0b75bd9ac2a7f033858d98cd8592bdf91dc6d135a1946c743af1fa68d2c
-
Filesize
3.5MB
MD585c8afc09052a2fef24837d714678b60
SHA1a8f08db718a77cb2cd18a1ce417b8a146b3c046e
SHA2565c63ccf3b00ec3420ad6361272ed1ff6732708ae659de5b919678756fdfea773
SHA5125310d39be2fb51bf4e27d23e4d9658367052ad64b1072aacac3338837f2e6c4f8a736238e443c29e9f264ee39041f2e1b5c1de78d2405cd254d11c6e7d38eada