Analysis
-
max time kernel
96s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 00:27
Static task
static1
Behavioral task
behavioral1
Sample
96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe
Resource
win10v2004-20241007-en
General
-
Target
96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe
-
Size
5.4MB
-
MD5
14b7ce0086005a7d3f8b5a714d6d0364
-
SHA1
226246936f022970b445f71c7d385b04e2a176e9
-
SHA256
96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c
-
SHA512
5bad4031c34b0dadf3a12e395c3def57f8d604e6cd7e2fe52945975d9a9c88ef4313d2fc8ac94ff669400bfe81941f36b9880dc1963b965a288c575d8b5dd6fb
-
SSDEEP
49152:9V/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHkufjWJA6ongaHLvKLA8VgbK6:9tLK3BDhtvS0Hn5gaHrhdwC
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exepid Process 3540 sysx32.exe 1268 _96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\W: sysx32.exe -
Drops file in System32 directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Windows\SysWOW64\SecEdit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dtdump.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\perfhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\proquota.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\taskkill.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\compact.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\regedit.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dllhost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\logman.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ieUnatt.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\OposHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\reg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\clip.exe sysx32.exe File created C:\Windows\SysWOW64\nslookup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sdchange.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\setx.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\subst.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\choice.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe sysx32.exe File created C:\Windows\SysWOW64\convert.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bthudtask.exe sysx32.exe File created C:\Windows\SysWOW64\mtstocom.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RdpSa.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\timeout.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\getmac.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\forfiles.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\iscsicpl.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ndadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\setup16.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WWAHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mountvol.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\replace.exe sysx32.exe File created C:\Windows\SysWOW64\SystemPropertiesComputerName.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\systray.exe sysx32.exe File created C:\Windows\SysWOW64\tar.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ieUnatt.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe sysx32.exe File created C:\Windows\SysWOW64\winrs.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mobsync.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\TpmTool.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\logagent.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\upnpcont.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\LaunchTM.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\calc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\stordiag.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\ftp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mshta.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe sysx32.exe File created C:\Program Files (x86)\Windows Media Player\wmlaunch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe sysx32.exe File created C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp sysx32.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe sysx32.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe sysx32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{86C113DF-C14A-4A2D-BFB2-2F0FC039BBA8}\chrome_installer.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\f\explorer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\r\provtool.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_b3df5aa8d99e9b89\TSTheme.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_6f1fcb1866fcb4b8\r\ntprint.exe sysx32.exe File created C:\Windows\WinSxS\msil_servicemodelreg_b03f5f7f11d50a3a_10.0.19041.1_none_0bb55a3e8d066c16\ServiceModelReg.exe.tmp sysx32.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\f\wbadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..-network-management_31bf3856ad364e35_10.0.19041.1_none_7a53549f2797bc70\nmscrub.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.1151_none_f7be996d8409bfa1\wsl.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.1151_none_d57e154a0a8460d3\f\pacjsworker.exe sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.264_none_6ea6dfb6393e5f06\r\DataStoreCacheDumpTool.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1_none_ee00310940a3cd37\wordpad.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\r\SysResetErr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\find.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\f\vmms.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\f\Taskmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\winresume.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.1_none_a541e711f3b2a478\mobsync.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.19041.1_none_958f624251c93843\MSchedExe.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1_none_61cd745a990bcfb3\msinfo32.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.423_none_204af7ff19532470\OOBENetworkCaptivePortal.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde\r\fontdrvhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\r\aspnetca.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1_none_45334ed1c0264cf2\wkspbroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_ed5986fc58f1b817\SystemUWPLauncher.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\setup16.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_10.0.19041.1_none_5efb81c4b092852b\cvtres.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..rarydialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_83b794e5516730a0\AddSuggestedFoldersToLibraryDialog.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\cmdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\wmpconfig.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\r\SysResetErr.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-inputredirection_31bf3856ad364e35_10.0.19041.1_none_ba15c535035058c0\rdpinput.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1_none_6f2c92b5bf3d99bc\Taskmgr.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ROUTE.EXE.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15805.0_none_0e9691ac6feedc0d\aspnet_wp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.1023_none_5c93ef2449c89609\securekernel.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\ScriptRunner.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.1_none_e1253388ca1ca1af\DismHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-unlock_31bf3856ad364e35_10.0.19041.746_none_428efbd28b482d1c\r\bdeunlock.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.264_none_c1c396da5ea1410f\r\wbengine.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_ed5986fc58f1b817\SystemUWPLauncher.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5f557b607e14f541\f\ByteCodeGenerator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\r\iissetup.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-proquota_31bf3856ad364e35_10.0.19041.1_none_ddb8055b31c2ae64\proquota.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_18b14c7d1478d4cc\sethc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\vmms.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.1_none_4475a86a4f1da227\BackgroundTransferHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\f\setup_wm.exe sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_8b2066136dd02eb6\TiWorker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-alg_31bf3856ad364e35_10.0.19041.746_none_86e29cecb9edce01\alg.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..onentpackagesupport_31bf3856ad364e35_10.0.19041.1_none_15ad78a57833209d\CompPkgSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.19041.746_none_744cb37f06e446cc\RuntimeBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15805.0_none_0e9691ac6feedc0d\aspnet_wp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1266_none_a88c5999d8585853\r\pcalua.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1202_none_ca1e0a7a1f21274c_drvinst.exe_6593e92a.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exesysx32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exedescription pid Process procid_target PID 5080 wrote to memory of 3540 5080 96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe 83 PID 5080 wrote to memory of 3540 5080 96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe 83 PID 5080 wrote to memory of 3540 5080 96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe 83 PID 5080 wrote to memory of 1268 5080 96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe 85 PID 5080 wrote to memory of 1268 5080 96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe"C:\Users\Admin\AppData\Local\Temp\96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\_96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exeC:\Users\Admin\AppData\Local\Temp\_96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe2⤵
- Executes dropped EXE
PID:1268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD54dce67285e02e07d62f3273fde8883a8
SHA1c666c7f303aa8444b0d1d638574c9ec06c735dd0
SHA256b752046513a8f3c0ce42f24625d773008e652d053f0b1cbeea2d3abd98e52608
SHA51243e1b608b57acae332b83e5ea2598e5e6ffe4da1d1564cb6c1b0fb2d7e018fe80bfed4fcb9d8eb37062b457a30513a2477d82221f4682c601b7d5361d4277f3b
-
C:\Users\Admin\AppData\Local\Temp\_96b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c.exe
Filesize5.3MB
MD572e298a237d44a586b1ccba09aba6766
SHA1afa9ddbf96b92eb875a122f3da4f04e55286332d
SHA2567eee6260c0549edd80a5d52b00827ce9e492c80704ef7ba87fd1a0c72e00424b
SHA512cbc430e93071fbdc8766e983d8dc853f4a2d46f9ae2c0c51c7597d82d7cffcd2c64ee2e4a2d4419d09bc0ed69f7c0dc205bf8f6fe090c46e60e12c2a7b5d925a
-
Filesize
5.4MB
MD514b7ce0086005a7d3f8b5a714d6d0364
SHA1226246936f022970b445f71c7d385b04e2a176e9
SHA25696b6429615fa4700a9684154898519a42e8614da109dcc950dc588081c04372c
SHA5125bad4031c34b0dadf3a12e395c3def57f8d604e6cd7e2fe52945975d9a9c88ef4313d2fc8ac94ff669400bfe81941f36b9880dc1963b965a288c575d8b5dd6fb