Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe
Resource
win10v2004-20241007-en
General
-
Target
6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe
-
Size
7.8MB
-
MD5
4df4b1a43666d9a5c29fa4e22c50c73b
-
SHA1
89447f053e059911750d06a75b0b589b18923c24
-
SHA256
6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90
-
SHA512
0ebda49618e2b90e4d91b6745d3629f91a12478bffdc24d2e80f88a745095560e508c8a1a231cca81aae81c1cac39ad4d72694f84cd20003b4ee0eb4f8ca8e10
-
SSDEEP
49152:943imhnMqfFLHyT+a0rNo7IcyO82MzufjWJA6ongaHLvKLA8VgbKW2llxobcJOuw:6i0os45gaHrhdw3D7nTsReRR9e
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 3168 sysx32.exe 1368 _6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\Z: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\cmmon32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ComputerDefaults.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cscript.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\replace.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cmd.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dialer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\user.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe sysx32.exe File created C:\Windows\SysWOW64\net.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\autoconv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Dism.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\subst.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\doskey.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\eventvwr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\GamePanel.exe sysx32.exe File created C:\Windows\SysWOW64\label.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\provlaunch.exe sysx32.exe File created C:\Windows\SysWOW64\verclsid.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\takeown.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\odbcad32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\taskkill.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\help.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\regedit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SearchIndexer.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\xwizard.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cliconfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\gpscript.exe sysx32.exe File created C:\Windows\SysWOW64\makecab.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mmgaserver.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\OneDriveSetup.exe sysx32.exe File created C:\Windows\SysWOW64\fsutil.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\isoburn.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\poqexec.exe sysx32.exe File created C:\Windows\SysWOW64\shutdown.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\sethc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\edpnotify.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\reg.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rekeywiz.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\replace.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SndVol.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wusa.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dpapimig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mstsc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rundll32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wextract.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe sysx32.exe File created C:\Windows\SysWOW64\eventcreate.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fltMC.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE sysx32.exe File created C:\Program Files\VideoLAN\VLC\vlc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe.tmp sysx32.exe File created C:\Program Files\Windows Mail\wab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Mail\wab.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_ffa61ab82b82ecca\Fondue.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\wpnpinst.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-recover_31bf3856ad364e35_10.0.19041.1_none_3c045b5253f885ed\recover.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\UpdateNotificationMgr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-credwiz_31bf3856ad364e35_10.0.19041.1_none_602068813f9366fe\credwiz.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\cmproxyd.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..cymanagerbrokerhost_31bf3856ad364e35_10.0.19041.746_none_5cc81a54cf095c95\r\EASPolicyManagerBrokerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_8fc08423f52c1606\r\wmlaunch.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-ipconfig_31bf3856ad364e35_10.0.19041.1_none_0c7fa8d5ebaceac7\ipconfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.746_none_61e0347e850155a8\r\UserOOBEBroker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1240cd13c584c1c\XGpuEjectDialog.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_10.0.19041.1_none_b79f30aeb967a64a\dvdplay.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1023_none_4478665ed379a3fc\r\AtBroker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.1_none_3ba8bf202ebf3481\IMESEARCH.EXE.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\r\typeperf.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_10.0.19041.1_none_613b273905366660\RMActivate.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.1_none_d1fafd8eeb2a2637\SpeechUXWiz.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.1202_none_05cd606e025d0d96\r\TrustedInstaller.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\f\MoUsoCoreWorker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.19041.153_none_212a5b73f083deb3\SystemResetPlatform.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.19041.1_none_ab07dd0c9dcc66c0\RMActivate_ssp_isv.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_93b4a0a1641d085c_svchost.exe_4dd0f0bc.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_ad4ed32c0facc27c\w32tm.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.264_none_3f30ef10158954bf\ApplyTrustOffline.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.0.19041.1081_none_7e66aef13d0cb227\ie4ushowIE.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_10.0.19041.867_none_099246ae3a45708c\printfilterpipelinesvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-computerdefaults_31bf3856ad364e35_10.0.19041.1_none_bc67af2f62a6f130\ComputerDefaults.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_10.0.19041.1_none_b79f30aeb967a64a\dvdplay.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1266_none_b5fa73367bbd2f91\r\klist.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\msil_inspectvhddialog6.2_31bf3856ad364e35_10.0.19041.1_none_7dc923aebe8d0c7f\InspectVhdDialog6.2.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\hnsdiag.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.1_none_8b021141ec175d3e\sdbinst.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\r\audiodg.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_4c95cf26b3aa5907\r\CredentialUIBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-ilasm_exe_b03f5f7f11d50a3a_4.0.15805.0_none_a790160b3d9e046c\ilasm.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.84_none_b4499a04dddcc22e\ssh-keygen.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.19041.1_none_d69d2c25bd407a87\SystemSettingsAdminFlows.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_65c819c8f144c1f4\msdt.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..plicationframe-host_31bf3856ad364e35_10.0.19041.1_none_8f9e4094cc5ab626\ApplicationFrameHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_71d7deb9b2d1d29b\verclsid.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskapilibrary_31bf3856ad364e35_10.0.19041.1266_none_622873cfbda33994\f\convertvhd.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\f\DataUsageLiveTileTask.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\iexplore.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\r\hvax64.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-devicepairingapp_31bf3856ad364e35_10.0.19041.1_none_258f6f31a16a0eac\DevicePairingWizard.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-machine_31bf3856ad364e35_10.0.19041.1_none_c36f57b8a28f2fbc\msoobe.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\wdagtool.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashPlayerApp.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-utilityvm-setupagent_31bf3856ad364e35_10.0.19041.1_none_cf994a1a65720fd5\wcsetupagent.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-embedded-bootexp_31bf3856ad364e35_10.0.19041.1_none_7f5264fda31782d9\BootExpCfg.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wifinetworkmanager_31bf3856ad364e35_10.0.19041.1202_none_e17f082b30dd9027\f\wifitask.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-consumers_31bf3856ad364e35_10.0.19041.1_none_00c334ebf83ee740\scrcons.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_10.0.19041.1_none_34b3f2eea86afb06\sc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\upnpcont.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslhost_31bf3856ad364e35_10.0.19041.117_none_9be21f0ef860b570\f\wslhost.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1580 wrote to memory of 3168 1580 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe 84 PID 1580 wrote to memory of 3168 1580 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe 84 PID 1580 wrote to memory of 3168 1580 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe 84 PID 1580 wrote to memory of 1368 1580 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe 85 PID 1580 wrote to memory of 1368 1580 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe 85 PID 1580 wrote to memory of 1368 1580 6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe"C:\Users\Admin\AppData\Local\Temp\6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\_6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exeC:\Users\Admin\AppData\Local\Temp\_6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe2⤵
- Executes dropped EXE
PID:1368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.8MB
MD5837f39c2eb5c8ba3b4ef54121d8636bb
SHA1c9161c05fcfd9b572bed77a451f6b9fc7ee6eb07
SHA2565830d14244ef2d4a7940db2038d227154028c4cf3e79b6ca3f98b0702ff56a31
SHA512b04a04bfb279d55f895bb34526d4e7a712c5d601f8f62100f1f762036174c989fb4e7fae25d93c6e7a4ed3c38838e8aed70c1a074e4fdae83b971723cb75e47e
-
C:\Users\Admin\AppData\Local\Temp\_6a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90.exe
Filesize7.8MB
MD58f0cf02e4cf0aa15ec68b735053011aa
SHA1c937a6585d77f6104150a086f18b8c6d3f915c7d
SHA256de90549e8d147122e906ad394be42e420f41f425d5a2b6952ef06c8ffe75f164
SHA51249cda1bed73d0ba4cc191a742f9f46aa999056159ebad44e827e4b9c23be54a2e4850094113f56c6228143bc273bd6855ec671c8265e2bb2697f8700d1594c6c
-
Filesize
7.8MB
MD54df4b1a43666d9a5c29fa4e22c50c73b
SHA189447f053e059911750d06a75b0b589b18923c24
SHA2566a03c180fa521bfd63e729cb54231c923280251a3302f22ff1b6abf90242cf90
SHA5120ebda49618e2b90e4d91b6745d3629f91a12478bffdc24d2e80f88a745095560e508c8a1a231cca81aae81c1cac39ad4d72694f84cd20003b4ee0eb4f8ca8e10