Analysis
-
max time kernel
110s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 17:49
Static task
static1
Behavioral task
behavioral1
Sample
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
Resource
win10v2004-20241007-en
General
-
Target
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
-
Size
9.5MB
-
MD5
5495d6fe74494d0e2e785b1ac2eb54a4
-
SHA1
2e662a737fce0e6f7ecfacc2ea125606f3668773
-
SHA256
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576
-
SHA512
cb00137fe655447522e490450de014bb189c4d6caafdce9f6ba4087e31650bbd5dc50f5fb848c58f94583b7acb00cb9f63a15c6b1515246667532e3361a63063
-
SSDEEP
196608:d5RNoZujZZFpEgBDOZRHNrZ0WwPYwKmFSNse257H5jMe/NAWgd/i7D4/mO4y/i2K:7oYOZzrJaSNsjMWgd/i7C/iHh4WxPv
Malware Config
Signatures
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exepid Process 3804 sysx32.exe 2920 _f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\G: sysx32.exe -
Drops file in System32 directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Windows\SysWOW64\netsh.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RMActivate_ssp.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\explorer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\fsquirt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iexpress.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\gpscript.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iscsicli.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cliconfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmd.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\w32tm.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\pcaui.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE sysx32.exe File created C:\Windows\SysWOW64\PATHPING.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\label.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\lodctr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe sysx32.exe File created C:\Windows\SysWOW64\convert.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sxstrace.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wusa.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe sysx32.exe File created C:\Windows\SysWOW64\wbem\mofcomp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\net.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe sysx32.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mspaint.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wextract.exe sysx32.exe File created C:\Windows\SysWOW64\WSManHTTPConfig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\psr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\prevhost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ROUTE.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\clip.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\typeperf.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\TsWpfWrp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\calc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ktmutil.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mstsc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\raserver.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\resmon.exe sysx32.exe File created C:\Windows\SysWOW64\setupugc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\takeown.exe sysx32.exe File created C:\Windows\SysWOW64\mavinject.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe sysx32.exe File created C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\odbcad32.exe.tmp sysx32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe sysx32.exe File created C:\Program Files\Internet Explorer\iexplore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE sysx32.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.tmp sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe sysx32.exe File created C:\Program Files\Mozilla Firefox\firefox.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe sysx32.exe File opened for modification C:\Program Files\dotnet\dotnet.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe sysx32.exe File created C:\Program Files\Windows Media Player\wmprph.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp sysx32.exe -
Drops file in Windows directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\r\WerFaultSecure.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1266_none_b5fa73367bbd2f91\r\klist.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\UIMgrBroker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-uevservice_31bf3856ad364e35_10.0.19041.1_none_339537d6c993f72b\AgentService.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.19041.746_none_e540b68b09558f5a\LockScreenContentServer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_470f45b46101edfb\r\powershell.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_e4c1e71455c2721c\appidtel.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\f\XBox.TCUI.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_76e6fb38a70dbd6d\r\GameBarPresenceWriter.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_10.0.19041.844_none_3ca0ef366c7d7a84\n\Dism.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\SysResetErr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.1202_none_fdbbcf53ca14e151\r\wimserv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1266_none_110072d23cfc00d3\UwfServicingSvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\f\ApproveChildRequest.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-secinit_31bf3856ad364e35_10.0.19041.1_none_3da8fdfb6c5bbf8a\secinit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_6e05a6bb2291b4c6\IMESEARCH.EXE sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\iisreset.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-xwizard-host-process_31bf3856ad364e35_10.0.19041.1_none_1939c8a90c4232f6\xwizard.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1202_none_ca1e0a7a1f21274c\f\drvinst.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVStreamingUX.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ntscontrol.appxmain_31bf3856ad364e35_10.0.19041.1_none_44197b0fdd55f562\AccountsControlHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\LaunchTM.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-compat-compattelrunner_31bf3856ad364e35_10.0.19041.1202_none_33e8c5dac6801a49\CompatTelRunner.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\FilePicker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_10.0.19041.1_none_1102b0871cbfcf0b\rdrleakdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\Setup.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpshell.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.153_none_51feabe070ab84f6\f\MusNotificationUx.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-makecab_31bf3856ad364e35_10.0.19041.207_none_d949ad80fc4d976e\makecab.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\ScriptRunner.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_9fd3a313935e2396\upnpcont.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_ee614da092435ac4\r\rasdial.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.746_none_dc7caa836f08ad57\regedit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\f\bcdboot.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.746_none_69061189792bce34\cmd.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.746_none_69061189792bce34\r\cmd.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\hvsirpcd.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-uevservice_31bf3856ad364e35_10.0.19041.1288_none_f26bd0dcdf662cc9\f\AgentService.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_10.0.19041.1237_none_9ad73d125ac89655\bfsvc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1081_none_f52da7b1195e2d45\r\DiskSnapshot.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.1202_none_42d3a7d52bcb0f8d\f\WorkFolders.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.0.19041.1_none_afb33d8068b0adc0\ie4ushowIE.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1_none_63e4d70575e86068\setup_wm.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.1_none_7c69077ba55f962b\WSReset.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_2aa26221a7a3d549\stordiag.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\f\iisreset.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8bc62bc63a30d6fb\nslookup.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\f\ByteCodeGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-castserver_31bf3856ad364e35_10.0.19041.746_none_a5986eca8fd4063b\f\CastSrv.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\tracerpt.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\f\MdmDiagnosticsTool.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1_none_25b40e9a744f0270\winlogon.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmssvc_31bf3856ad364e35_10.0.19041.746_none_9ebd3ef9f0c794b5\r\WmsSvc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\b6c0024236e5d701ea9600001815341f.eshell.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1_none_6e398157aa492263\setup_wm.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exesysx32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exepid Process 2920 _f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 2920 _f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exedescription pid Process procid_target PID 3884 wrote to memory of 3804 3884 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 84 PID 3884 wrote to memory of 3804 3884 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 84 PID 3884 wrote to memory of 3804 3884 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 84 PID 3884 wrote to memory of 2920 3884 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 86 PID 3884 wrote to memory of 2920 3884 f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe"C:\Users\Admin\AppData\Local\Temp\f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3804
-
-
C:\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exeC:\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.5MB
MD522fd804c58602274862ac19b21a0820c
SHA1428c23de561aec9591a997cab17e7e51bf2233ce
SHA256ce0a861d10d97aca7e00973408b00d828bfe67e2d42c9fa6f6d33108409a7b97
SHA512c8bd5ceb6be593801a6463ed09e811de8e06019981d80c989c5dae826438bcc1a264ddf4c5c0db97a201ec4addddfd5483a0561427ebbdd75e0e1d803e86cb14
-
C:\Users\Admin\AppData\Local\Temp\_f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576.exe
Filesize9.5MB
MD5d0dceb3283fb65eafc82cacc6c36566e
SHA120c4635d178b0442b1e0d4f9a10d3bd44295a613
SHA256483de379e69dc4b5e0bce31c15725dad13e51358a7b760002c8328e81c90bb31
SHA512dde9ccbf277dd57554f7742f4a516e52415738cc03f777529c6bcd7f7585b234915f739b87646aaf831aa9c23f1f8b0d7698bacffb44d3158d279d5b81696a19
-
Filesize
9.5MB
MD55495d6fe74494d0e2e785b1ac2eb54a4
SHA12e662a737fce0e6f7ecfacc2ea125606f3668773
SHA256f7ba5d423be3334d82dbbc81752e7ee3ef0a08dad1d12bdbca0734805181c576
SHA512cb00137fe655447522e490450de014bb189c4d6caafdce9f6ba4087e31650bbd5dc50f5fb848c58f94583b7acb00cb9f63a15c6b1515246667532e3361a63063