Analysis
-
max time kernel
138s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 23:51
Static task
static1
Behavioral task
behavioral1
Sample
73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe
Resource
win10v2004-20241007-en
General
-
Target
73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe
-
Size
5.4MB
-
MD5
3a50686f11cab9303e50a2de23064eb4
-
SHA1
a970490596cdcd2efb186e482eb97c464232b625
-
SHA256
73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b
-
SHA512
b2457ea43fbbfc326d13f5ccf95b8cd02a46e483753f4b05c6b1db525d1d082c8ad156b48b5defb45069bca17a11fccac4f89bd3dd45b10b601b32fafde1d912
-
SSDEEP
49152:9GGWdQtSgRWpAIRrRLzZiNo7IcyO82MzufjWJA6ongaHLvKLA8VgbKW2llxobcJC:IKTOrRn+os45gaHrhdwC
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1128 sysx32.exe 3552 _73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\U: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\help.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\provlaunch.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSa.exe sysx32.exe File created C:\Windows\SysWOW64\xwizard.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe sysx32.exe File created C:\Windows\SysWOW64\dpnsvr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RdpSa.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\runas.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TokenBrokerCookies.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\findstr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\newdev.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\eudcedit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\notepad.exe sysx32.exe File created C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe sysx32.exe File created C:\Windows\SysWOW64\write.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wbem\mofcomp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\msdt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\psr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_isdel.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mmc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Netplwiz.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\systray.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\unlodctr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\takeown.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wevtutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\credwiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\expand.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFault.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iscsicpl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PATHPING.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\userinit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winver.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\autochk.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\diskperf.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\icacls.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe sysx32.exe File created C:\Windows\SysWOW64\fontview.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fsutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File created C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe sysx32.exe File created C:\Program Files\Windows Media Player\wmpconfig.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\7zG.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_f68db62a3702882b\r\SearchFilterHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\AppVNice.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1266_none_e20a09e712bd275c\cleanmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\r\nltest.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.19041.572_none_90e9bab3cbbfd71a\djoin.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.19041.572_none_90e9bab3cbbfd71a\f\djoin.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1060d2d22df7c6eb\r\WWAHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1_none_ac040ccaa73c8c1b\instnm.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\Microsoft.Uev.SyncController.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-deviceenroller_31bf3856ad364e35_10.0.19041.1_none_77365f2eaca89f2a\DeviceEnroller.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\r\explorer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-secinit_31bf3856ad364e35_10.0.19041.1_none_3da8fdfb6c5bbf8a\secinit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_smsvchost_b03f5f7f11d50a3a_4.0.15805.0_none_6d5f51303f9aca21\SMSvcHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1266_none_b5fa73367bbd2f91\klist.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_646d7347043be71c\aspnet_regbrowsers.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.264_none_62496caeba2daa52\nvspinfo.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\windeploy.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.19041.844_none_c5675ea732c2eaa0\LockApp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\r\wpnpinst.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.572_none_846686e46b73c8e3\r\PnPUnattend.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_10.0.19041.1_none_8525a0b08bf57bbb\Locator.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.746_none_e873f3aa792d8bb3\Win32WebViewHost.exe.tmp sysx32.exe File created C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.1_none_f4025a506f9e9f01\bootim.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\f\sdchange.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ttings-removedevice_31bf3856ad364e35_10.0.19041.746_none_915a78ef54321214\r\SystemSettingsRemoveDevice.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashUtil_ActiveX.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-extrac32_31bf3856ad364e35_10.0.19041.1_none_9b6f5274d7a3ac24\extrac32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.19041.1081_none_9972edde9b98690c\r\wscadminui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.19041.1266_none_e20a09e712bd275c\f\cleanmgr.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.117_none_1db60e061b48335a\r\bash.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\r\diskperf.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\f\ApproveChildRequest.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\nltest.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\r\net1.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..nsemanager-shellext_31bf3856ad364e35_10.0.19041.1_none_683b3c51d469e51b\LicenseManagerShellext.exe.tmp sysx32.exe File created C:\Windows\WinSxS\Temp\PendingDeletes\e374984536e5d701109b00001815341f.iisrstas.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-cttunesvr_31bf3856ad364e35_10.0.19041.746_none_d848cc62b1883bca\f\cttunesvr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\r\gpresult.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_a40a1f93665b43eb\f\SndVol.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\net1.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.1_none_1776a3602eb73133\netiougc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.153_none_6ef8a222ac00dbc2\TrustedInstaller.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-ipconfig_31bf3856ad364e35_10.0.19041.1_none_0c7fa8d5ebaceac7\ipconfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\r\wbadmin.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.1_none_0ed4f15b837334c7\csrss.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-adamsync_31bf3856ad364e35_10.0.19041.1081_none_6700b2d2d3c0055f\f\adamsync.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\ShellLauncherConfig.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_08235f0411d49656\net.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.1081_none_9fa94241ef63ceb4\wermgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_e20a2c618eea3856\agentactivationruntimestarter.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe sysx32.exe File created C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.1_none_9f98e6cc8eabb4ca\mtstocom.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.19041.746_none_0f44a2d7a5e3a37a\r\ChtIME.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\r\SnippingTool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.1_none_9a2ae60de5f420d2\dialer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..cquisition-wiawow64_31bf3856ad364e35_10.0.19041.1_none_827105fe900187d1\wiawow64.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..tofservice-oposhost_31bf3856ad364e35_10.0.19041.1_none_3d1291badd9e7f22\OposHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.264_none_39eaf2470cfe88f0\explorer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.746_none_ad0ed54dd130eec3\f\DismHost.exe sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 1008 dw20.exe Token: SeBackupPrivilege 1008 dw20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3396 wrote to memory of 1128 3396 73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe 86 PID 3396 wrote to memory of 1128 3396 73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe 86 PID 3396 wrote to memory of 1128 3396 73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe 86 PID 3396 wrote to memory of 3552 3396 73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe 89 PID 3396 wrote to memory of 3552 3396 73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe 89 PID 3552 wrote to memory of 1008 3552 _73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe 90 PID 3552 wrote to memory of 1008 3552 _73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe"C:\Users\Admin\AppData\Local\Temp\73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\_73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exeC:\Users\Admin\AppData\Local\Temp\_73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8843⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD51e86a8765e997371f9db3e179d5ef720
SHA11002792c11665c38cf361a752de5d4b5bb07b173
SHA256bccc5f44dc8f89e930453ee855d63cef3aaad9e5aa204da86d8fd3803ddac5c6
SHA5121ef708dba5251d4223d4a9454bab50b9fe8011392eca35809b08ef2993a39992efce7edaf57932ca33c94ad27a6e64a88197a7f807e63143920c4a9780daa229
-
C:\Users\Admin\AppData\Local\Temp\_73a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b.exe
Filesize5.3MB
MD52961d9e7c399d6d047ef063757afec75
SHA105996a47e907d1858d3f900469bbb2ff9ea104df
SHA256ffcd18191f60427b93eab508e3058f733ed5e9de9024cccf3df27e6df121eab4
SHA5122ff2d2b812220efcd57659737504e08c8c6d024ec5f186ab5f7fd8c6316f1e0d16828ad248880f33f598de50b6d3e16a576b1e372f0092107d09db0ba913c099
-
Filesize
5.4MB
MD53a50686f11cab9303e50a2de23064eb4
SHA1a970490596cdcd2efb186e482eb97c464232b625
SHA25673a33d9fbd9d42877a740dfd6d72735609ed45f5114cfb41679b04d421c4ec6b
SHA512b2457ea43fbbfc326d13f5ccf95b8cd02a46e483753f4b05c6b1db525d1d082c8ad156b48b5defb45069bca17a11fccac4f89bd3dd45b10b601b32fafde1d912