Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 23:39
Static task
static1
Behavioral task
behavioral1
Sample
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe
Resource
win10v2004-20241007-en
General
-
Target
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe
-
Size
5.4MB
-
MD5
2f825bb8db9d34c2f6e63c8311a61640
-
SHA1
cd057e914f0078871484732a0001008412a42255
-
SHA256
76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2
-
SHA512
b183ac5184891a83a269fdc72f1adf9b46ded3824e204595bbc9b1ce16e16657c6e0ff540c11dc30e8a67df3062af34de2eecd859f3153b971c966e3b05ffae6
-
SSDEEP
49152:9GKsY+dy0ZScIBqBT11s9GY568MNwu4acTC3ZvFXkP5VugzsIYU:fsY+dy0ZScIBqBT116EHcTeqqI3
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 756 sysx32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\Z: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cipher.exe sysx32.exe File created C:\Windows\SysWOW64\msdt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RdpSaUacHelper.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\runas.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\user.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe sysx32.exe File created C:\Windows\SysWOW64\dllhst3g.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\unregmp2.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\taskkill.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wusa.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\grpconv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\credwiz.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\prevhost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe sysx32.exe File created C:\Windows\SysWOW64\TSTheme.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\write.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\MRINFO.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\NETSTAT.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Robocopy.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe sysx32.exe File created C:\Windows\SysWOW64\wbem\WMIADAP.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\comp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tasklist.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\where.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Fondue.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\DpiScaling.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\auditpol.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\eventvwr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ARP.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Robocopy.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\sxstrace.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TpmInit.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Utilman.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\hdwwiz.exe sysx32.exe File created C:\Windows\SysWOW64\RMActivate.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchFilterHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\odbcad32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rdrleakdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSa.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchFilterHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\resmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\resmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe sysx32.exe File created C:\Windows\SysWOW64\convert.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\tracerpt.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.tmp sysx32.exe File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.tmp sysx32.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe sysx32.exe File created C:\Program Files\7-Zip\7zG.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpshare.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.tmp sysx32.exe File created C:\Program Files\Internet Explorer\iexplore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Mail\wab.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_f4a35974d85ff180\SettingSyncHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_ef39acce2648e404\r\WerFaultSecure.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\gpupdate.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_10.0.19041.1_none_f0b8ea270ffc4674\SystemPropertiesComputerName.exe.tmp sysx32.exe File opened for modification C:\Windows\notepad.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bth-user_31bf3856ad364e35_10.0.19041.1_none_1b0a4d6f748b99f5\fsquirt.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-l..nstaller-comhandler_31bf3856ad364e35_10.0.19041.1_none_d7372edf29e45655\LanguageComponentsInstallerComHandler.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.746_none_c7a124154e1d7314\mtstocom.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_9e3e509d4c4881e1\MuiUnattend.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-diskraid_31bf3856ad364e35_10.0.19041.1_none_1b7ab1943757b81e\diskraid.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fsutil_31bf3856ad364e35_10.0.19041.1_none_825521fc8f4a22ac\fsutil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.84_none_ffbdc333a0778274\hvsirpcd.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.1_none_bddafe5ea5731fa2\bridgeunattend.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_multimedia-rrinstaller_31bf3856ad364e35_10.0.19041.746_none_f0e6f722ec2403d4\f\rrinstaller.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_installutil_b03f5f7f11d50a3a_4.0.15805.0_none_d67d06ef0c4a2e1c\InstallUtil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\hvix64.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.1_none_cc9d1ee374152f46\UserAccountBroker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\gpresult.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_9a152e76298cd801\f\wmlaunch.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_10.0.19041.546_none_f8b0afde1e951639\r\WmiPrvSE.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fsutil_31bf3856ad364e35_10.0.19041.1_none_825521fc8f4a22ac\fsutil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.19041.1023_none_9583d52fd3076014\r\SystemSettingsAdminFlows.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_63b0fc68ee30f2cb\r\IMESEARCH.EXE.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_42ec0e96ce977bdb\r\gpscript.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_10.0.19041.1202_none_cc46843e404eb749\r\BitLockerWizard.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d\netiougc.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\f\gpresult.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\SyncAppvPublishingServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.1_none_4f5d06c149db5ae8\control.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\f\gpupdate.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.1_none_805f7a2ac157fb08\MuiUnattend.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_b678ec2deb73b201\r\msra.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_10.0.19041.1202_none_fceb29af5a61f7e6\f\bcdedit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\wmpconfig.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_serviceinitiatedhealing-client_31bf3856ad364e35_10.0.19041.1288_none_91a5fb477b6af5a0\SIHClient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-ping-utilities_31bf3856ad364e35_10.0.19041.1_none_69775cdd639910cb\PING.EXE.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\vmms.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_10.0.19041.746_none_726cc4a1ebcb1c1e\f\wlrmdr.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-osk_31bf3856ad364e35_10.0.19041.1_none_60ade0eff94c37fc\osk.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\r\rasautou.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..vercommandlinetools_31bf3856ad364e35_10.0.19041.1_none_70349c6644208282\tsprof.exe sysx32.exe File opened for modification C:\Windows\WinSxS\msil_smsvchost_b03f5f7f11d50a3a_10.0.19200.110_none_30a09d63c4775424\SMSvcHost.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\auditpol.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\f\notepad.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.19041.207_none_11794cc79cc85d1d\WaaSMedicAgent.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.1_none_3d521dedd6c76700\hcsdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1266_none_e20a09e712bd275c\cleanmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsimulationinput_31bf3856ad364e35_10.0.19041.746_none_492c8c53f3547077\PerceptionSimulationInput.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.19041.746_none_18c3ddf7dbfedda0\PinEnrollmentBroker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_f89a6b0476f024dd\wabmig.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\f\SgrmLpac.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_b2e64138c9682982\f\InputSwitchToastHandler.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.84_none_40bd4149a6d52edb\AppVClient.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.1266_none_d375b5361b806b32\WpcTok.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1060d2d22df7c6eb\f\WWAHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_2afd3bd8e33c2cf2\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb\wowreg32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\r\LaunchWinApp.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\WerFault.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-icm-dccw_31bf3856ad364e35_10.0.19041.1_none_d0dfb9642de0d432\dccw.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-jsc_b03f5f7f11d50a3a_10.0.19041.1_none_014838ef8bea39e9\jsc.exe sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2368 wrote to memory of 756 2368 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe 84 PID 2368 wrote to memory of 756 2368 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe 84 PID 2368 wrote to memory of 756 2368 76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe"C:\Users\Admin\AppData\Local\Temp\76a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD52976e41b0759e4ae894d047a3c3634f6
SHA1005b0697bdb59d3e2e350907ff59e667bfb8a9b7
SHA256713807d3004887928d43267d1efc63c13f0e9681324ccd7ab3f3b37d28d50a3c
SHA51258e994132cb3cacf76d2574e2fad8abfc2ae0037d1f384fd7376b2eb13c4db5c4ce7475012f909e85856d9dbd40594951a4962e69e2fdf318dd7f311aedc4069
-
Filesize
5.4MB
MD52f825bb8db9d34c2f6e63c8311a61640
SHA1cd057e914f0078871484732a0001008412a42255
SHA25676a9f90a2a4c6736f100b7c79c68f205e374744435429a4e2dba8e0d511a48b2
SHA512b183ac5184891a83a269fdc72f1adf9b46ded3824e204595bbc9b1ce16e16657c6e0ff540c11dc30e8a67df3062af34de2eecd859f3153b971c966e3b05ffae6