Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 00:38
Static task
static1
Behavioral task
behavioral1
Sample
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
Resource
win10v2004-20241007-en
General
-
Target
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
-
Size
2.1MB
-
MD5
41c0ab9cd38d0717867d9383f0135210
-
SHA1
e72eda7cd437bdf5917f6d159b85a67b103486fe
-
SHA256
f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ce
-
SHA512
3d885d406de1fb84ed2c78c226909cc76b6aa073c9449dabb1a95b89a9b37d6ed0a6ff39495befa5f81462f01b113ca911c38c96d9c10c025a9a2b832e49afc8
-
SSDEEP
49152:9mHMJuQ9mhkjgMj7SwYfy3V8VD01yPiI4cCd2ilpXHJT8mpaZQ6pFNuY1SNl9X6M:M1K9X5Iddq41Lxry
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1444 sysx32.exe 1188 _f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\V: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\auditpol.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\clip.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\comp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PickerHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\Dism.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\shutdown.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\efsui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SearchFilterHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SettingSyncHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cliconfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rundll32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\runonce.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\regedt32.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wscript.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dcomcnfg.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\verclsid.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe sysx32.exe File created C:\Windows\SysWOW64\schtasks.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\forfiles.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SystemPropertiesPerformance.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\gpscript.exe sysx32.exe File created C:\Windows\SysWOW64\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\unlodctr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\whoami.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fsquirt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mmgaserver.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\control.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\driverquery.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\MuiUnattend.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\subst.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TokenBrokerCookies.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wlanext.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\quickassist.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mcbuilder.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\prevhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\verifiergui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\relog.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\svchost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tttracer.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\w32tm.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\control.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File created C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp sysx32.exe File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe sysx32.exe File created C:\Program Files (x86)\Windows Media Player\wmplayer.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe sysx32.exe File created C:\Program Files\Windows Media Player\wmpshare.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.19041.546_none_4eec2752c7ea16f8\backgroundTaskHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\r\FXSSVC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1151_none_71aa7fdbb41824a0\ShellExperienceHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.1266_none_22ccf50c942e2ac7\f\TokenBrokerCookies.exe.tmp sysx32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\OOBENetworkCaptivePortal.exe.tmp sysx32.exe File created C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\UNPUXLauncher.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\SenseCE.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\r\SecurityHealthHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_10.0.19041.1266_none_3fb851095cc978d4\f\wmprph.exe sysx32.exe File created C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_220320d2c4216035\poqexec.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\r\cmdiag.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\r\MicrosoftEdge.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.746_none_61e0347e850155a8\f\UserOOBEBroker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmEngine.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\SecurityHealthHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1_none_63e4d70575e86068\unregmp2.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.1202_none_d081cba554088913\r\slui.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.1023_none_5c93ef2449c89609\f\securekernel.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\fixmapi.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-dpapi-keys_31bf3856ad364e35_10.0.19041.1_none_3e188ad1a12f1c4d\dpapimig.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\hnsdiag.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\f\vmms.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-uevservice_31bf3856ad364e35_10.0.19041.1288_none_f26bd0dcdf662cc9\r\AgentService.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\appcmd.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.19041.207_none_00b5dbdfab19326f\r\UtcDecoderHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\msil_presentationfontcache_31bf3856ad364e35_10.0.19041.1_none_679d42cd97347ace\PresentationFontCache.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.117_none_1db60e061b48335a\r\bash.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\MRINFO.EXE sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4\r\vds.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_e4e5027bf1e82209\WerFaultSecure.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.19041.1237_none_9d556cf140e198b4\RecoveryDrive.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1_none_9a8a77811e17322b\LsaIso.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_2dfbb21bd5166adc\f\LaunchTM.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_1e18f0f5b1e8db7d\where.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1_none_8591bd54bdb2be6f\AtBroker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1237_none_7578510aa0f564fa\f\vfpctrl.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoftwindowssystemrestore-tasks_31bf3856ad364e35_10.0.19041.84_none_2c3254d57443e050\f\SrTasks.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_b2e64138c9682982\InputSwitchToastHandler.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_10.0.19041.1_none_b79f30aeb967a64a\dvdplay.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\f\fontdrvhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\f\PerceptionSimulationService.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1023_none_4ecd10b107da65f7\AtBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-servicemodelreg_exe_b03f5f7f11d50a3a_4.0.15805.0_none_cd052606b14fabac\ServiceModelReg.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hgattest-catrustlet_31bf3856ad364e35_10.0.19041.1_none_13a24884d12d6915\vmplatformca.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3fe90cdb6667211e\f\wevtutil.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\tttracer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_state_exe_b03f5f7f11d50a3a_4.0.15805.0_none_a7a9eea53631000d\aspnet_state.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_c42bf1ebf80a8661\f\isoburn.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\f\wsqmcons.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\SgrmBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\ReAgentc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-setspn_31bf3856ad364e35_10.0.19041.1_none_35f6aeed7d8158f9\setspn.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..esslockapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_eddf8132c42e0857\AssignedAccessLockApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1_none_76c543231c2d8e03\wevtutil.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\appcmd.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1_none_c76758d7f0069e2e\ndadmin.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_64cb20c6329bf2bd\r\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_72c6a00123f43c47\f\quickassist.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.19041.1_none_16cc981df6cf3111\WmsUserAgent.exe sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3456 wrote to memory of 1444 3456 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 86 PID 3456 wrote to memory of 1444 3456 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 86 PID 3456 wrote to memory of 1444 3456 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 86 PID 3456 wrote to memory of 1188 3456 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 87 PID 3456 wrote to memory of 1188 3456 f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe"C:\Users\Admin\AppData\Local\Temp\f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Users\Admin\AppData\Local\Temp\_f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exeC:\Users\Admin\AppData\Local\Temp\_f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe2⤵
- Executes dropped EXE
PID:1188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD562801a105b878f7244c8eedf19a66989
SHA1b48acaf19a5f62954bd9390fca35b6bc03d1ea95
SHA256c6423b7ac12f9df76efd22f154047486f1139c7d5f7238808fb64611492484bc
SHA51228b4e50c85f3a27cc179306d16d2aaecb3c215c83f351a3178b3e7425102247ce9a21a72e668df5be3106a407411b91aeb212a4637a4f00c3722a49b754a1447
-
C:\Users\Admin\AppData\Local\Temp\_f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ceN.exe
Filesize2.0MB
MD53aeb5f7fff1dcede788e3c9033b7f5df
SHA192ddd70accaa8d6bc37ba5b765fda5953ddacefa
SHA25698dfc370715199ffa12307e6ea2bd1abdada4393ffe78b031c17df63bc781c37
SHA512b40e7dded52de68c80513793e85759449d0e4dd82d2c28b07004b006bc504f974469a27510166d9df84f697ceffe45768ca1a9365a49e29c46228a13545b15f9
-
Filesize
2.1MB
MD541c0ab9cd38d0717867d9383f0135210
SHA1e72eda7cd437bdf5917f6d159b85a67b103486fe
SHA256f7694e6f87d6422546fe1dfb6a6d55f5346bf9c8c930a588667cfb1c5c5703ce
SHA5123d885d406de1fb84ed2c78c226909cc76b6aa073c9449dabb1a95b89a9b37d6ed0a6ff39495befa5f81462f01b113ca911c38c96d9c10c025a9a2b832e49afc8