Analysis
-
max time kernel
110s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 00:28
Static task
static1
Behavioral task
behavioral1
Sample
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
Resource
win10v2004-20241007-en
General
-
Target
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
-
Size
2.1MB
-
MD5
41c0ab9cd38d0717867d9383f0135210
-
SHA1
e72eda7cd437bdf5917f6d159b85a67b103486fe
-
SHA256
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ce
-
SHA512
3d885d406de1fb84ed2c78c226909cc76b6aa073c9449dabb1a95b89a9b37d6ed0a6ff39495befa5f81462f01b113ca911c38c96d9c10c025a9a2b832e49afc8
-
SSDEEP
49152:9mHMJuQ9mhkjgMj7SwYfy3V8VD01yPiI4cCd2ilpXHJT8mpaZQ6pFNuY1SNl9X6M:M1K9X5Iddq41Lxry
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2040 sysx32.exe 4516 _f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\Z: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cipher.exe sysx32.exe File created C:\Windows\SysWOW64\cscript.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iexpress.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sfc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe sysx32.exe File created C:\Windows\SysWOW64\PING.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\TokenBrokerCookies.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\bthudtask.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Dism\DismHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\find.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\bthudtask.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mmc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe sysx32.exe File created C:\Windows\SysWOW64\Register-CimProvider.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ROUTE.EXE sysx32.exe File created C:\Windows\SysWOW64\TRACERT.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE sysx32.exe File created C:\Windows\SysWOW64\iexpress.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\regini.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tttracer.exe sysx32.exe File created C:\Windows\SysWOW64\userinit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\Fondue.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\relog.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\instnm.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SystemUWPLauncher.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\doskey.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe sysx32.exe File created C:\Windows\SysWOW64\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WSManHTTPConfig.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe sysx32.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\DWWIN.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sxstrace.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe sysx32.exe File created C:\Windows\SysWOW64\perfhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\recover.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\icsunattend.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\systeminfo.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wextract.exe sysx32.exe File created C:\Windows\SysWOW64\Dism.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe sysx32.exe File created C:\Windows\SysWOW64\Fondue.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\psr.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp sysx32.exe File created C:\Program Files (x86)\Windows Mail\wab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmpshare.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp sysx32.exe File created C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe.tmp sysx32.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe sysx32.exe File created C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\f\Dxpserver.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\wmplayer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.746_none_b6b8620636970859\PerceptionSimulationService.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_wcf-smsvchost_b03f5f7f11d50a3a_10.0.19041.1_none_b4528a0bdf7b6cee\SMSvcHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\Taskmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7000e6adf00c3d30\r\CloudNotifications.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.746_none_c1db40c45e8f2d9e\r\wbengine.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_msbuild_b03f5f7f11d50a3a_3.5.19041.1_none_82a6b3679b68b331\MSBuild.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.84_none_2d21e26a18d595c7\f\directxdatabaseupdater.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-utilityvm-setupagent_31bf3856ad364e35_10.0.19041.1_none_cf994a1a65720fd5\wcsetupagent.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-choice_31bf3856ad364e35_10.0.19041.1_none_83aca2e25f8134a1\choice.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.1_none_6314a7411fa6f2ec\FXSSVC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe sysx32.exe File created C:\Windows\WinSxS\amd64_netfx4-servicemodelreg_exe_b03f5f7f11d50a3a_4.0.15805.0_none_cd052606b14fabac\ServiceModelReg.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.546_none_01dba454b887ba53\f\fltMC.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.1_none_9b8799837b1e944c\WindowsSandboxClient.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\f\WSManHTTPConfig.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\r\rasdial.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_aa1fc2e87b362d12\regedit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.19041.207_none_11794cc79cc85d1d\f\WaaSMedicAgent.exe sysx32.exe File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\OOBENetworkConnectionFlow.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.746_none_d99fd60bc1fde773\f\LockAppHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-r..ckgroundmediaplayer_31bf3856ad364e35_10.0.19041.1266_none_3b00801193b15c0f\Windows.Media.BackgroundPlayback.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_10.0.19041.1_none_ad76f6bb45d8f232\IMJPDCT.EXE.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\r\wdagtool.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1_none_639e78e5edb8f409\PickerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.19041.1_none_ab07dd0c9dcc66c0\RMActivate_ssp_isv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.19041.1023_none_9583d52fd3076014\SystemSettingsAdminFlows.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.746_none_48b2bd808a742e25\f\netbtugc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.1052_none_0bde546bcaf8e34a\ClipUp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.264_none_911b6d2a51481d59\mavinject.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.1081_none_7dd23580df04442f\f\DWWIN.EXE sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\r\wpr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\eshell.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\r\ApproveChildRequest.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\Microsoft.AAD.BrokerPlugin.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.844_none_7eaa07ee55c22dcc\r\WinMgmt.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-bth-user_31bf3856ad364e35_10.0.19041.746_none_43128ab833fd583f\bthudtask.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.117_none_610933d42d963a44\f\wsl.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15805.0_none_b2fd45ddd475eb50\ngen.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashUtil_ActiveX.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_b39734a8c9c85bd3\systray.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-deploymentcsps_31bf3856ad364e35_10.0.19041.746_none_4c096bd75d4397f3\deploymentcsphelper.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lua_31bf3856ad364e35_10.0.19041.746_none_8443a7febb9ab03d\consent.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\wmpshare.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.84_none_51ae5c25baf813ff\SgrmLpac.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5f557b607e14f541\f\ByteCodeGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.1_none_af96916428136673\mobsync.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_1fe6ae13cb971ac8\netsh.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\SyncAppvPublishingServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_b30156e32b833fb0\Microsoft.ECApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.746_none_7c508e4438cec899\phoneactivate.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_610e6b21ab533b13\f\autochk.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\hvc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.746_none_4b1a1978d1832a5f\OpenWith.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\cscript.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_1fe438473a878c5c\TapiUnattend.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6a67731cf3e151f2\r\pcaui.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\f\autofmt.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-es-authentication_31bf3856ad364e35_10.0.19041.1_none_02027476ea57232f\EhStorAuthn.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\RdpSaProxy.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\hvsimgr.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4876 wrote to memory of 2040 4876 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 84 PID 4876 wrote to memory of 2040 4876 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 84 PID 4876 wrote to memory of 2040 4876 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 84 PID 4876 wrote to memory of 4516 4876 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 85 PID 4876 wrote to memory of 4516 4876 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe"C:\Users\Admin\AppData\Local\Temp\f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\_f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exeC:\Users\Admin\AppData\Local\Temp\_f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe2⤵
- Executes dropped EXE
PID:4516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD562801a105b878f7244c8eedf19a66989
SHA1b48acaf19a5f62954bd9390fca35b6bc03d1ea95
SHA256c6423b7ac12f9df76efd22f154047486f1139c7d5f7238808fb64611492484bc
SHA51228b4e50c85f3a27cc179306d16d2aaecb3c215c83f351a3178b3e7425102247ce9a21a72e668df5be3106a407411b91aeb212a4637a4f00c3722a49b754a1447
-
C:\Users\Admin\AppData\Local\Temp\_f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
Filesize2.0MB
MD53aeb5f7fff1dcede788e3c9033b7f5df
SHA192ddd70accaa8d6bc37ba5b765fda5953ddacefa
SHA25698dfc370715199ffa12307e6ea2bd1abdada4393ffe78b031c17df63bc781c37
SHA512b40e7dded52de68c80513793e85759449d0e4dd82d2c28b07004b006bc504f974469a27510166d9df84f697ceffe45768ca1a9365a49e29c46228a13545b15f9
-
Filesize
2.1MB
MD541c0ab9cd38d0717867d9383f0135210
SHA1e72eda7cd437bdf5917f6d159b85a67b103486fe
SHA256f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ce
SHA5123d885d406de1fb84ed2c78c226909cc76b6aa073c9449dabb1a95b89a9b37d6ed0a6ff39495befa5f81462f01b113ca911c38c96d9c10c025a9a2b832e49afc8