Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe
Resource
win10v2004-20241007-en
General
-
Target
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe
-
Size
5.4MB
-
MD5
2f825bb8db9d34c2f6e63c8311a61640
-
SHA1
cd057e914f0078871484732a0001008412a42255
-
SHA256
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2
-
SHA512
b183ac5184891a83a269fdc72f1adf9b46ded3824e204595bbc9b1ce16e16657c6e0ff540c11dc30e8a67df3062af34de2eecd859f3153b971c966e3b05ffae6
-
SSDEEP
49152:9GKsY+dy0ZScIBqBT11s9GY568MNwu4acTC3ZvFXkP5VugzsIYU:fsY+dy0ZScIBqBT116EHcTeqqI3
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1564 sysx32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\cttune.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\find.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wowreg32.exe sysx32.exe File created C:\Windows\SysWOW64\ddodiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\icacls.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ipconfig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\relog.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\sethc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe sysx32.exe File created C:\Windows\SysWOW64\OpenWith.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\systray.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wevtutil.exe sysx32.exe File created C:\Windows\SysWOW64\fontview.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iscsicpl.exe sysx32.exe File created C:\Windows\SysWOW64\shrpubw.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\unregmp2.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_isdel.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\appidtel.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\explorer.exe sysx32.exe File created C:\Windows\SysWOW64\netsh.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\nslookup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\reg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe sysx32.exe File created C:\Windows\SysWOW64\netbtugc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rdrleakdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ROUTE.EXE sysx32.exe File created C:\Windows\SysWOW64\TpmInit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\at.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\recover.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wecutil.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wscadminui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\findstr.exe sysx32.exe File created C:\Windows\SysWOW64\RMActivate.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dtdump.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\iscsicpl.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rekeywiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\clip.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Magnify.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\odbcconf.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cliconfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe sysx32.exe File created C:\Windows\SysWOW64\wbem\mofcomp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\eudcedit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\WerFaultSecure.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe sysx32.exe File created C:\Windows\SysWOW64\doskey.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\isoburn.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File created C:\Program Files (x86)\Internet Explorer\ExtExport.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1_none_f725ad3465e95fe3\klist.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-assignedaccess-guard_31bf3856ad364e35_10.0.19041.844_none_10a0a60f1ec9cc10\n\AssignedAccessGuard.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.19041.1_none_28564b59eb268cda\certreq.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\AppVDllSurrogate.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.546_none_12e3d70535675c5f\f\dllhost.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mdmappinstaller_31bf3856ad364e35_10.0.19041.844_none_77a5d9aafae08e77\f\MDMAppInstaller.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_b5fe9c5c09b9d7a9\rundll32.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..-network-management_31bf3856ad364e35_10.0.19041.1_none_7a53549f2797bc70\nmscrub.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_10.0.19041.906_none_65f82ba919c64b11\InetMgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\resmon.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.153_none_dbdeec75cdd2a4d1\f\DataUsageLiveTileTask.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.1_none_d910ec4e86b0552b\XBox.TCUI.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\SearchProtocolHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_ffd303094ff1fe66\auditpol.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_63b0fc68ee30f2cb\r\IMESEARCH.EXE.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_c77fb947e9eed73b\wscript.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_b0493212512a7f1a\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\HvsiSettingsWorker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.84_none_dd81fb99bc3b1e53\f\NgcIso.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.746_none_9ebd3ef9f0c794b5\r\WmsSvc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57_svchost.exe_4dd0f0bc.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.746_none_dc7caa836f08ad57\regedt32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.746_none_4028b8f4f6c0b829\f\wpr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1_none_1746f218dd81ed09\bcdboot.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\wbadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_3bcd0306a19592e2\f\Robocopy.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_netfx35linq-addinutil_31bf3856ad364e35_10.0.19041.1_none_810f46ab82b9619e\AddInUtil.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_8457b34a3423f6d0\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1_none_97e4facd611ea96a\autochk.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-compat-compattelrunner_31bf3856ad364e35_10.0.19041.1202_none_33e8c5dac6801a49\f\CompatTelRunner.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.153_none_ff44cfa7cb529ce3\f\lpksetup.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_10.0.19041.1_none_260e545bf60f6b0f\cliconfg.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\f\winresume.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.19041.1_none_f509d2f29c00c5f0\services.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_10.0.19041.546_none_ee5c058bea34543e\WmiPrvSE.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_610e6b21ab533b13\f\autochk.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_a892faef80a943dc\r\MuiUnattend.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.746_none_f7c1402f08d2457a\mmc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\r\typeperf.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\rmttpmvscmgrsvr.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-eventcreate_31bf3856ad364e35_10.0.19041.1_none_8b53de27def16277\eventcreate.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\SecHealthUI.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.19041.1202_none_d965e0f65a4ddcdf\f\BdeUISrv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5f557b607e14f541\r\ByteCodeGenerator.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_10.0.19041.746_none_d38e81565538dedf\r\logagent.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\newdev.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-utilityvm-setupagent_31bf3856ad364e35_10.0.19041.1_none_cf994a1a65720fd5\wcsetupagent.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_b30156e32b833fb0\Microsoft.ECApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-core_31bf3856ad364e35_10.0.19041.1110_none_29d8ec742bfd8b13\r\fhmanagew.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\r\wslconfig.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-driververifier_31bf3856ad364e35_10.0.19041.1_none_7ab192ed7079aec0\verifiergui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_c77fb947e9eed73b\wscript.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\f\cscript.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\f\mstsc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\HOSTNAME.EXE sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\PerceptionSimulationService.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\winresume.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventcreate_31bf3856ad364e35_10.0.19041.1_none_8b53de27def16277\eventcreate.exe sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4656 wrote to memory of 1564 4656 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe 84 PID 4656 wrote to memory of 1564 4656 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe 84 PID 4656 wrote to memory of 1564 4656 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe"C:\Users\Admin\AppData\Local\Temp\76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD52976e41b0759e4ae894d047a3c3634f6
SHA1005b0697bdb59d3e2e350907ff59e667bfb8a9b7
SHA256713807d3004887928d43267d1efc63c13f0e9681324ccd7ab3f3b37d28d50a3c
SHA51258e994132cb3cacf76d2574e2fad8abfc2ae0037d1f384fd7376b2eb13c4db5c4ce7475012f909e85856d9dbd40594951a4962e69e2fdf318dd7f311aedc4069
-
Filesize
5.4MB
MD52f825bb8db9d34c2f6e63c8311a61640
SHA1cd057e914f0078871484732a0001008412a42255
SHA25676a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2
SHA512b183ac5184891a83a269fdc72f1adf9b46ded3824e204595bbc9b1ce16e16657c6e0ff540c11dc30e8a67df3062af34de2eecd859f3153b971c966e3b05ffae6