Analysis
-
max time kernel
110s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 16:13
Static task
static1
Behavioral task
behavioral1
Sample
a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
Resource
win10v2004-20241007-en
General
-
Target
a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
-
Size
9.5MB
-
MD5
02461bcd9387cfb94a2ece08138b6110
-
SHA1
d1388114984c46dcdaa62b806f3216735bbb79a6
-
SHA256
a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed
-
SHA512
ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c
-
SSDEEP
196608:d5RNoZujZZFpEgBDOZRHNrZ0WwPYwKmFSNse257H5jMe/NAWgd/i7D4/mO4y/i2q:7oYOZzrJaSNsjMWgd/i7C/iHh4WxPf
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exepid Process 4656 sysx32.exe 1496 _a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\P: sysx32.exe -
Drops file in System32 directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Windows\SysWOW64\ROUTE.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cmd.exe sysx32.exe File created C:\Windows\SysWOW64\net1.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Robocopy.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\compact.exe sysx32.exe File created C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\openfiles.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSa.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ddodiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Dism.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msra.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\OneDriveSetup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ieUnatt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\setup16.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TpmInit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\appidtel.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mavinject.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\notepad.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\recover.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\runas.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe sysx32.exe File created C:\Windows\SysWOW64\tar.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\wbem\WinMgmt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cacls.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\GameBarPresenceWriter.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\grpconv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\setx.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dccw.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\TpmInit.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\at.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\extrac32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\notepad.exe sysx32.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe sysx32.exe File created C:\Windows\SysWOW64\Com\MigRegDB.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\fixmapi.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\label.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe sysx32.exe File created C:\Windows\SysWOW64\cttune.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mfpmp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\TsWpfWrp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\efsui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe sysx32.exe File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\odbcconf.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\subst.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ThumbnailExtractionHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\auditpol.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe sysx32.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp sysx32.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.tmp sysx32.exe File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe sysx32.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp sysx32.exe File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dns-client_31bf3856ad364e35_10.0.19041.1_none_97d38a6121b6e9e6\dnscacheugc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\DataUsageLiveTileTask.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_10.0.19041.1_none_c719fa2e662738e0\WPDShextAutoplay.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\HvsiSettingsWorker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-l..nstaller-comhandler_31bf3856ad364e35_10.0.19041.746_none_ff3f6c27e956149f\f\LanguageComponentsInstallerComHandler.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\f\wslconfig.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1_none_61cd745a990bcfb3\msinfo32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-browsercore_31bf3856ad364e35_10.0.19041.1151_none_cf9de3ecb3a8f61c\r\BrowserCore.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\f\wsmprovhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_94cfabd8a89f0b96\r\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d\f\netiougc.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\f\autofmt.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\AppVStreamingUX.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVNice.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.264_none_0f23d07ed2574292\r\DiagnosticsHub.StandardCollector.Service.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_9e3e509d4c4881e1\MuiUnattend.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmEngine.exe sysx32.exe File created C:\Windows\WinSxS\x86_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.1_none_081f0e1c3ea3d07f\sxstrace.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-vmsp_31bf3856ad364e35_10.0.19041.1_none_39d506065bd87607\vmsp.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..alenrollmentmanager_31bf3856ad364e35_10.0.19041.1202_none_1a780ff3456b7bcd\CredentialEnrollmentManager.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.746_none_d99fd60bc1fde773\f\LockAppHost.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.19041.1081_none_8f1e438c6737a711\r\wscadminui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_vmconnect6.2_31bf3856ad364e35_10.0.19041.1_none_5c4aee22bbc45ef1\vmconnect6.2.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_5163f0069562aff6\powershell.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1_none_9613f8b833f2e8f1\ByteCodeGenerator.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.746_none_79bfc5cb57157e98\f\WindowsActionDialog.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\f\iissetup.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.746_none_61e0347e850155a8\f\UserOOBEBroker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1081_none_f52da7b1195e2d45\DiskSnapshot.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\hvsirpcd.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.746_none_a47144c464d15475\f\WSReset.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_610e6b21ab533b13\autochk.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.546_none_1d38815769c81e5a\dllhost.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\f\WerFault.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.423_none_c3eac275ecdf7e0a\r\NgcIso.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\UNPUXHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1266_none_23ae8c0349f1b325\r\UsoClient.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_10.0.19041.1_none_4bf3621a8ebe2ee3\vbc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\f\SearchIndexer.exe sysx32.exe File created C:\Windows\WinSxS\x86_msbuild_b03f5f7f11d50a3a_10.0.19041.1_none_421bb61742382b2d\MSBuild.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_a40a1f93665b43eb\r\SndVol.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\r\printui.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\resmon.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5f557b607e14f541\r\ByteCodeGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\f\ReAgentc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\spoolsv.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.964_none_510ebdd9292eed06\f\diskpart.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\vmms.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\PerceptionSimulationService.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..client-ui-wscollect_31bf3856ad364e35_10.0.19041.746_none_e7acb2599054dc72\f\WSCollect.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..nsemanager-shellext_31bf3856ad364e35_10.0.19041.746_none_9043799a93dba365\f\LicenseManagerShellext.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_bf506ecc66a800df\TiWorker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsicli.exe_20e14d4f.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15805.0_none_5643c883846b0513\aspnet_wp.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\sethc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventcreate_31bf3856ad364e35_10.0.19041.1_none_8b53de27def16277\eventcreate.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exesysx32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exepid Process 1496 _a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe 1496 _a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exedescription pid Process procid_target PID 4164 wrote to memory of 4656 4164 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe 83 PID 4164 wrote to memory of 4656 4164 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe 83 PID 4164 wrote to memory of 4656 4164 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe 83 PID 4164 wrote to memory of 1496 4164 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe 84 PID 4164 wrote to memory of 1496 4164 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exeC:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.5MB
MD57758cd67d501ac40ddf2c2e2b1131e6e
SHA18fca66ba5fcd94c9a660ea04caa21ac557d4e122
SHA2568b2c8d7a94ce5b755fbcfb0029db1a502186658ae0544a6cd409d4ca1c3583b3
SHA512aba3070bbd090206c20d32f1417b5b93599c0a620538edeb8c0fce28198edc0aa249dc87b3a1b486ea372c7eb7621ed35131e8bfb8d05d445ab57c6db026c8f0
-
C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
Filesize9.5MB
MD57a98f5fca675a4b9253cbeb231a0adf9
SHA1e672cce31524e7f09362bdeff01deb2d59db3b94
SHA25661fadf8ae797f69625014760b601949d52e876801aeefec0ea825cdb861f18ac
SHA512920f268530850d0d97bcc0094ec439a3fc5e067a846bffe65a5dc2125b8c6aadf3c2c2d6c0bca671b60aaf5750f69073f756615a78c810e42e218feecd67748a
-
Filesize
9.5MB
MD502461bcd9387cfb94a2ece08138b6110
SHA1d1388114984c46dcdaa62b806f3216735bbb79a6
SHA256a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed
SHA512ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c