Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe
Resource
win10v2004-20241007-en
General
-
Target
a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe
-
Size
7.1MB
-
MD5
6874862093d4753f6d0ecd513d83f046
-
SHA1
708f93e3cfb8d5b299eb79dfdbd0a877397b48e3
-
SHA256
a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005
-
SHA512
308aaa124d81d4de393f7acc50e0c44a623346a9940b13a0625e566ae244e6dcd0c5812ee823665458323aed73b78cec139346910edf911111ff351660bae695
-
SSDEEP
49152:9YK0DZT88fnSgRWpAIRrRLzZiNo7IcyO82MzufjWJA6ongaHLvKLA8VgbKW2llxh:mKETOrRn+os45gaHrhdw3D7nTsR
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exepid Process 2840 sysx32.exe 3504 _a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe -
Drops file in System32 directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Windows\SysWOW64\extrac32.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\makecab.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ThumbnailExtractionHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\certreq.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\lodctr.exe sysx32.exe File created C:\Windows\SysWOW64\netbtugc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RmClient.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rasdial.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\WPDShextAutoplay.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe sysx32.exe File created C:\Windows\SysWOW64\upnpcont.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dllhost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\isoburn.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe sysx32.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rrinstaller.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe sysx32.exe File created C:\Windows\SysWOW64\secinit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\CertEnrollCtrl.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\cttunesvr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Dism.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\fltMC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\logagent.exe sysx32.exe File created C:\Windows\SysWOW64\SystemPropertiesHardware.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\HOSTNAME.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SettingSyncHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\fc.exe sysx32.exe File created C:\Windows\SysWOW64\perfmon.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\TokenBrokerCookies.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\winrs.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\replace.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\where.exe sysx32.exe File created C:\Windows\SysWOW64\xwizard.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\msra.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rundll32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wextract.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WWAHost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\choice.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\forfiles.exe sysx32.exe File created C:\Windows\SysWOW64\lodctr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe sysx32.exe File created C:\Windows\SysWOW64\driverquery.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\PickerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\sxstrace.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\bthudtask.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Mail\wab.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp sysx32.exe File created C:\Program Files\Windows Media Player\wmprph.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File created C:\Program Files (x86)\Windows Mail\wab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\java.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp sysx32.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.tmp sysx32.exe File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1202_none_d081f9868ac0a804\f\Microsoft.AAD.BrokerPlugin.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-vb_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_b92a768e22c5262b\vbc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\msil_multipoint-wmsdashboard_31bf3856ad364e35_10.0.19041.1_none_061d84508b376f80\WmsDashboard.exe sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_a8b46aaa6c07ca3d\f\CredentialUIBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_8fc08423f52c1606\wmlaunch.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\newdev.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7a559100246cff2b\f\CloudNotifications.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_c05346ae3e1a99a4\rundll32.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.19041.546_none_4eec2752c7ea16f8\r\backgroundTaskHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\r\Dxpserver.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\r\WerFault.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\f\fontdrvhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lua_31bf3856ad364e35_10.0.19041.746_none_8443a7febb9ab03d\f\consent.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\ScriptRunner.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.19041.928_none_4621828876257e43\certreq.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1_none_9a8a77811e17322b\LsaIso.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_10.0.19041.546_none_ee5c058bea34543e\WmiPrvSE.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\AppVShNotify.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.19041.153_none_b4f0bd83cfc7701e\r\AxInstUI.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.19041.746_none_099c40ad55bc5d6c\f\AuthHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\diskperf.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_aa1fc2e87b362d12\regedt32.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1202_none_a27aa61d221bdc5c\f\wordpad.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_4b25f9be389a3a63\agentactivationruntimestarter.exe sysx32.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..management-omadmprc_31bf3856ad364e35_10.0.19041.844_none_93c03ca99a47dc8f\omadmprc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\audiodg.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\f\WFS.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_84e58cd924a91c8f\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-analog-facefodhandler_31bf3856ad364e35_10.0.19041.1266_none_1f1ff89fbf279f16\f\FaceFodUninstaller.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\tracerpt.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.19041.264_none_c813a1965bacf6d2\SystemSettingsBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.1_none_2d66868246722e10\OpenWith.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\cmproxyd.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..management-omadmprc_31bf3856ad364e35_10.0.19041.844_none_93c03ca99a47dc8f\f\omadmprc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\reset.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\f\ssh-keygen.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-pickerhost_31bf3856ad364e35_10.0.19041.1023_none_2cd9cc4237e09b91\f\PickerHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.746_none_c291aefd01a5d6d6\f\EoAExperiences.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\f\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.423_none_15f557c171018574\f\CHXSmartScreen.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\f\BackgroundTransferHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.153_none_c283d2cf01b0b7d8\r\EoAExperiences.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\r\ApplySettingsTemplateCatalog.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\hvsirpcd.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1237_none_7578510aa0f564fa\r\vfpctrl.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.264_none_9b436d497f039d6d\smartscreen.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_9fd3a313935e2396\upnpcont.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7a559100246cff2b\r\CloudNotifications.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\n\CExecSvc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_a8b46aaa6c07ca3d\r\CredentialUIBroker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.1081_none_7dd23580df04442f\r\DWWIN.EXE sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-devicesetupmanagerapi_31bf3856ad364e35_10.0.19041.746_none_55af03e86cb19d55\DsmUserTask.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_b30156e32b833fb0\Microsoft.ECApp.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..tofservice-oposhost_31bf3856ad364e35_10.0.19041.1_none_3d1291badd9e7f22\OposHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1110_none_af1474f55f209109\f\raserver.exe sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sysx32.exe_a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exea2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exedescription pid Process procid_target PID 4720 wrote to memory of 2840 4720 a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe 82 PID 4720 wrote to memory of 2840 4720 a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe 82 PID 4720 wrote to memory of 2840 4720 a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe 82 PID 4720 wrote to memory of 3504 4720 a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe 83 PID 4720 wrote to memory of 3504 4720 a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe 83 PID 4720 wrote to memory of 3504 4720 a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe"C:\Users\Admin\AppData\Local\Temp\a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\_a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exeC:\Users\Admin\AppData\Local\Temp\_a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD5aab4d41c280eeed4f62e05c4a382a2e0
SHA1bdb55d5baeec5ab45b4f5456997866fcce9fe33b
SHA256cc4be0db54e69a8754426b4595210f5238df028187ce9f9491e0a9873c37a975
SHA512a024099d430355af698363fafe6be3ba32d824aa03b780c7b9a438f1e8569fa19f18c1262f870d6842a2f43aecf58aa3198bf7d51bacc1c19aa4a714e3082b0d
-
C:\Users\Admin\AppData\Local\Temp\_a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005.exe
Filesize7.1MB
MD577f0f26b82ccd143daad8b5ee63b6b65
SHA1109c463530f1103a4fb6989a47c2b888cfadd0e3
SHA2562c35bcbef057c9e0c20143ada8f008cc95f603ec5d7bd7f84b78daae004ed22b
SHA5125d4560e38467132f64384e456d344025bd094cf239e5624819a91b3471389b6fdc6290a0be6be4220b40f8b102a4fcf33d23f3a109ac59eb75e1ae64b8af892a
-
Filesize
7.1MB
MD56874862093d4753f6d0ecd513d83f046
SHA1708f93e3cfb8d5b299eb79dfdbd0a877397b48e3
SHA256a2d3abaf63803b8d4657ee4ddb1467b54dd74d9e3e0a58f1ec16de38a3f86005
SHA512308aaa124d81d4de393f7acc50e0c44a623346a9940b13a0625e566ae244e6dcd0c5812ee823665458323aed73b78cec139346910edf911111ff351660bae695