Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 15:08
Static task
static1
Behavioral task
behavioral1
Sample
ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe
Resource
win10v2004-20241007-en
General
-
Target
ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe
-
Size
4.2MB
-
MD5
d4dbae25b11afc78ef7a5993f1972e00
-
SHA1
b1fcf4f6fe112dd5069dad5b20957d8dc7fffb6a
-
SHA256
ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1
-
SHA512
a96eb11d1191d3132ec8b926ab074a18876043fcd7148527d9792eb181c80fa438dab4326839f88b7f106c385af5f2acaea44c679c8e85e1d441cc7fe58284de
-
SSDEEP
49152:90zBwFbfscEmKev3KcYq1r7RISY4+jfC09VbGR0T1c0tkAxT66LV8kq160E:2B+o1c0tkStykq160E
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exepid Process 2840 sysx32.exe 2244 _ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\V: sysx32.exe -
Drops file in System32 directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\ipconfig.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SearchIndexer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ttdinject.exe sysx32.exe File created C:\Windows\SysWOW64\cmdkey.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\instnm.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\isoburn.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\runas.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\logman.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe sysx32.exe File created C:\Windows\SysWOW64\rasautou.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dpnsvr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\provlaunch.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wscript.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\OposHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe sysx32.exe File created C:\Windows\SysWOW64\WWAHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\help.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\findstr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ftp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\label.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cttune.exe sysx32.exe File created C:\Windows\SysWOW64\mavinject.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\diskpart.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mfpmp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe sysx32.exe File created C:\Windows\SysWOW64\Fondue.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\iscsicpl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\msra.exe sysx32.exe File created C:\Windows\SysWOW64\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\user.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\sfc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\tcmsetup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\winver.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\write.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wusa.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\gpupdate.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\help.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\ttdinject.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ddodiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\fsquirt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wecutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_isdel.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\notepad.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\regsvr32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe sysx32.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE sysx32.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp sysx32.exe File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe sysx32.exe File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe sysx32.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp sysx32.exe File created C:\Program Files\Internet Explorer\iexplore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_10.0.19041.546_none_ee5c058bea34543e\r\WmiPrvSE.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_10.0.19041.1266_none_3fb851095cc978d4\f\wmprph.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\winload.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\f\CustomShellHost.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.264_none_6ea6dfb6393e5f06\DataStoreCacheDumpTool.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userinit_31bf3856ad364e35_10.0.19041.1_none_9219c799710d7e86\userinit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_10.0.19041.1_none_3062feae2a702d0a\cliconfg.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1_none_61cd745a990bcfb3\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.84_none_29cf9b86db5fb249\AuditShD.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1237_none_665f7346099d6350\r\bdechangepin.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\SgrmLpac.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-core_31bf3856ad364e35_10.0.19041.264_none_92ee62a6d5b1c18a\fhmanagew.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-iechooser_31bf3856ad364e35_11.0.19041.746_none_122a74c9827fe81a\r\IEChooser.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\r\msra.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.19041.746_none_099c40ad55bc5d6c\AuthHost.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1202_none_a27aa61d221bdc5c\r\wordpad.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_a8b46aaa6c07ca3d\CredentialUIBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1266_none_1833f07ce0c90b68\WpcUapApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\CameraSettingsUIHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.746_none_a47144c464d15475\WSReset.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_b3df5aa8d99e9b89\r\TSTheme.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\SenseSampleUploader.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\iisreset.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_6f2ce5f0857cd61a\SecEdit.exe.tmp sysx32.exe File created C:\Windows\WinSxS\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.19041.1_none_c991318e4b11e4cf\RMActivate_ssp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-s..chservice-component_31bf3856ad364e35_10.0.19041.1266_none_2262e67641106c48\SpeechRuntime.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.19041.746_none_11e04cec24452336\f\dwm.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_f4a55c2c3386ed90\r\UserAccountBroker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1081_none_ae0369bc9fe47e6c\appidtel.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.1_none_95938c4a44e792de\ReAgentc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_10.0.19041.1202_none_fceb29af5a61f7e6\f\bcdedit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-help-client_31bf3856ad364e35_10.0.19041.1151_none_e0e8a531e34051a9\r\HelpPane.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dispdiag_31bf3856ad364e35_10.0.19041.1_none_fad576d8cf74b38a\dispdiag.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..-personalizationcsp_31bf3856ad364e35_10.0.19041.1_none_f6e35a697a06e63e\desktopimgdownldr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_72c6a00123f43c47\f\quickassist.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4\f\vds.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.906_none_72b8b02e4865ebca\f\schtasks.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..tegrity-diagnostics_31bf3856ad364e35_10.0.19041.1_none_224ac1aa56b7c6c2\CIDiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ls-adschemaanalyzer_31bf3856ad364e35_10.0.19041.1_none_89e9f21ed63037f6\ADSchemaAnalyzer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\r\ClipUp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_10.0.19041.1_none_c12e5c6c2037e719\imjpuexc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..cymanagerbrokerhost_31bf3856ad364e35_10.0.19041.1_none_34bfdd0c0f979e4b\EASPolicyManagerBrokerHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1288_none_5961108733e967c9\r\LsaIso.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f\WinRTNetMUAHostServer.exe sysx32.exe File created C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_9627a04e40f9f001\f\SearchIndexer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_msbuild_b03f5f7f11d50a3a_10.0.19041.1_none_421bb61742382b2d\MSBuild.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_27f9f931a79d1cbe\f\mavinject.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_aspnet_regsql_b03f5f7f11d50a3a_10.0.19041.1_none_10c2b4b34d346421\aspnet_regsql.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoftwindows-undockeddevkit.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a22e961d4bcae1e\UndockedDevKit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.1081_none_9fa94241ef63ceb4\r\wermgr.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_2dfbb21bd5166adc\r\Taskmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_556ba5d1df8130ac\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1151_none_ae854961a06058b2\r\dmcertinst.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\typeperf.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorQuickStart.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_10.0.19041.84_none_7c1f17a9e1beaf63\f\recdisc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\aspnetca.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\f\logman.exe.tmp sysx32.exe File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\OOBENetworkCaptivePortal.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exesysx32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exedescription pid Process procid_target PID 4220 wrote to memory of 2840 4220 ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe 83 PID 4220 wrote to memory of 2840 4220 ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe 83 PID 4220 wrote to memory of 2840 4220 ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe 83 PID 4220 wrote to memory of 2244 4220 ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe 84 PID 4220 wrote to memory of 2244 4220 ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe 84 PID 4220 wrote to memory of 2244 4220 ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe"C:\Users\Admin\AppData\Local\Temp\ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\_ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exeC:\Users\Admin\AppData\Local\Temp\_ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe2⤵
- Executes dropped EXE
PID:2244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD59bd1cc36f10400c14630fbb9fcc62fd5
SHA1557d992a823b4b5cba1ce36277df5117e3e7b86b
SHA256004ebe79e253e251e3b1ec9ed1e5538db6aef598e0f11c785c76911b1809f5dd
SHA512d52d6df7540f973abd9d0407f230de11fe0dadd323e574f6f8adc06e8e4402f52a636fbc253225709979fb5183310b18f7060e455767836f97f60b30d4ccdb79
-
C:\Users\Admin\AppData\Local\Temp\_ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1N.exe
Filesize4.2MB
MD595e8ac8b3dd0f9a63957b1fb40d19ab7
SHA196851d50d2e090fe535343dca6de0f8fb28b2019
SHA256791cd8217a36dc8b46a7712a5a51f8903f4f0c9bce35483e26e4427bb50539bf
SHA5125824164eb6e9ba6d35333f63e8a756fea9ec0c39cf54e876b5213dfa7aa10a2da2daf37720a70e0087aab2a0f0ab10c46364e314df2678ffd5c6528883d084bd
-
Filesize
4.2MB
MD5d4dbae25b11afc78ef7a5993f1972e00
SHA1b1fcf4f6fe112dd5069dad5b20957d8dc7fffb6a
SHA256ff6df985696e6c5aabc6fe2f141f7bbe06a4fc0d223974c8d134bc0dd68243b1
SHA512a96eb11d1191d3132ec8b926ab074a18876043fcd7148527d9792eb181c80fa438dab4326839f88b7f106c385af5f2acaea44c679c8e85e1d441cc7fe58284de