Analysis
-
max time kernel
108s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 00:39
Static task
static1
Behavioral task
behavioral1
Sample
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
Resource
win10v2004-20241007-en
General
-
Target
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
-
Size
4.9MB
-
MD5
661d0561ddceaf9ae6edf8a50b6c26c0
-
SHA1
b1dd6be08f907050574f7102dfc83fd7223c0179
-
SHA256
dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f
-
SHA512
c8b342af6e7180f99a0acf5c77a60a5b2d58c49c884dd929238797e27b79de8d9dece2d4444a7349f1e84ff036852a94f09608be24e80c0c56e80cc043719474
-
SSDEEP
49152:9m/xFnOvtaWIDn0a2qnqYQVMkL+q/vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPAFIA:uaklJKvS0Hpe4zbpaAKQkroGIC
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 556 sysx32.exe 2156 _dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\J: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\compact.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\hh.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mobsync.exe sysx32.exe File created C:\Windows\SysWOW64\ndadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\NETSTAT.EXE sysx32.exe File created C:\Windows\SysWOW64\cleanmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\fc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\MRINFO.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\makecab.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\bthudtask.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\reg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SettingSyncHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\setup16.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe sysx32.exe File created C:\Windows\SysWOW64\expand.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe sysx32.exe File created C:\Windows\SysWOW64\rasphone.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\runas.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dccw.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\AtBroker.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wevtutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\finger.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\takeown.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\tracerpt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dllhst3g.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\LaunchTM.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\user.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\find.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\forfiles.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mspaint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\autoconv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SndVol.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msdt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\chkdsk.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RmClient.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\recover.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe sysx32.exe File created C:\Windows\SysWOW64\ftp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\UserAccountControlSettings.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\setup_wm.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE sysx32.exe File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\chrome_installer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe sysx32.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..line-user-interface_31bf3856ad364e35_10.0.19041.1_none_92d880487c3589c8\cmdkey.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\f\scp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-application..egistrationverifier_31bf3856ad364e35_10.0.19041.746_none_64e9b1de23df7cf4\r\AppHostRegistrationVerifier.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\r\SearchFilterHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\setup16.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_4c95cf26b3aa5907\f\CredentialUIBroker.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..vercommandlinetools_31bf3856ad364e35_10.0.19041.1_none_70349c6644208282\flattemp.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_b0493212512a7f1a\ntprint.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_94cfabd8a89f0b96\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe sysx32.exe File created C:\Windows\WinSxS\x86_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_680d56683fad152b\f\isoburn.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.1288_none_d616f4b76bd7b8a2\f\ApplyTrustOffline.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_10.0.19041.1_none_ceb3891c2721fc43\chkntfs.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\r\dfrgui.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\f\provtool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.153_none_59d1094dec9b8480\Spectrum.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\InputApp\TextInputHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_serviceinitiatedhealing-client_31bf3856ad364e35_10.0.19041.1288_none_91a5fb477b6af5a0\r\SIHClient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4_vdsldr.exe_20c491b3.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1_none_a068a30a6853aaec\ByteCodeGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\f\ndadmin.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\r\svchost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe_nissrv.exe_f967cd63 sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6a67731cf3e151f2\pcaui.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..-externaldictionary_31bf3856ad364e35_10.0.19041.1_none_fce141858c5d7f03\IMEWDBLD.EXE sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1202_none_ddf8c4144200f5b4\f\winresume.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\r\MicrosoftEdge.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\r\provtool.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\ScreenClipping\ScreenClippingHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\WmiApSrv.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_b817dbd29134ec4d\GameBarPresenceWriter.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\winload.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.84_none_9b0dd648f2c31f16\r\dfrgui.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\sethc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\audit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1_none_36e57bfcb85e0850\SpatialAudioLicenseSrv.exe sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.1_none_c564589414ffc535\mmc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_10.0.19041.1_none_8525a0b08bf57bbb\Locator.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.1_none_c3249fe181844dfb\MsSpellCheckingHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-infdefaultinstall_31bf3856ad364e35_10.0.19041.1_none_2cda3b956fcdb26f\InfDefaultInstall.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\f\Taskmgr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.1288_none_d616f4b76bd7b8a2\r\CustomInstallExec.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.153_none_ff44cfa7cb529ce3\f\lpremove.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_f0aa60ae9c531752\CasPol.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\subst.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1266_none_41843efc8f66bc7c\f\uwfmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.746_none_c1db40c45e8f2d9e\f\wbengine.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\r\CameraSettingsUIHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wusa_31bf3856ad364e35_10.0.19041.1151_none_2c2550df02273de3\wusa.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_10.0.19041.1_none_a6a8b89bc50eae31\cvtres.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1_none_82af78fa7992ecce\uwfmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-certutil_31bf3856ad364e35_10.0.19041.746_none_937e52b9922bd791\certutil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\cmdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_119b1e415d838a28\autoconv.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1151_none_ae854961a06058b2\dmcertinst.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.964_none_46ba1386f4ce2b0b\f\diskpart.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\FilePicker.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1500 wrote to memory of 556 1500 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 85 PID 1500 wrote to memory of 556 1500 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 85 PID 1500 wrote to memory of 556 1500 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 85 PID 1500 wrote to memory of 2156 1500 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 87 PID 1500 wrote to memory of 2156 1500 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 87 PID 1500 wrote to memory of 2156 1500 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exeC:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe2⤵
- Executes dropped EXE
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5faf1118ab8493df7829c59f7ef8ba26a
SHA1be7437a5650ff6628aa4aaa872afd8499db3c652
SHA2565c3b146c18b16b4a8db02453e04b455be394681cf9870e97e2fa253482c7cf2e
SHA512e124b0f46101882a40b475280d2e0152c6b861a43d0b8377e4adc15c96e73ee04b4a09faf3f23087c0d11c653441e6d42022c0c2a92f75a26389233f4185516e
-
C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
Filesize4.9MB
MD584aa72f040ae8f9e022bc1e9f7239d68
SHA1316a576cacc2cf63e8c698dcd5ee66be0b88643d
SHA2566faacf875bf79d89a97296dba832a12eedfb44dde44d8119e3e212a8afa7d5b7
SHA5124314af0eb37069c7c61ca57f8fe5bedf61524e6fed2a4d3b40b63c8abb1dff12ea00cda864c31106b8af34863d379f8428e3e7942b3edb7b58e325c15bc58e71
-
Filesize
4.9MB
MD5661d0561ddceaf9ae6edf8a50b6c26c0
SHA1b1dd6be08f907050574f7102dfc83fd7223c0179
SHA256dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f
SHA512c8b342af6e7180f99a0acf5c77a60a5b2d58c49c884dd929238797e27b79de8d9dece2d4444a7349f1e84ff036852a94f09608be24e80c0c56e80cc043719474