76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7

Analysis

max time kernel
93s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe
Size

4.4MB
MD5

dc9e939ee449d36161d925e7afb69370
SHA1

db34c1776b889984c34e037817ec64d827470a87
SHA256

76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7
SHA512

df1e3c15afcdc177950d4c7cfe154e5521b456c6dffbf1d339b6eb21efb70604fbbc13997dfe1f19d98957b9b150545969aa29a21a93a47335e48d79fab62109
SSDEEP

49152:99KfuPS3ELNjV7FZxEfOfOgwf099cPy9AuDzY:8m9pZxwgbcPy9AuDzY

Score

9^/10

discovery persistence ransomware

Malware Config

Signatures

Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4976	sysx32.exe
3152	_76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe"	76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	sysx32.exe
File opened (read-only)	\??\K:	sysx32.exe
File opened (read-only)	\??\M:	sysx32.exe
File opened (read-only)	\??\P:	sysx32.exe
File opened (read-only)	\??\R:	sysx32.exe
File opened (read-only)	\??\X:	sysx32.exe
File opened (read-only)	\??\A:	sysx32.exe
File opened (read-only)	\??\G:	sysx32.exe
File opened (read-only)	\??\T:	sysx32.exe
File opened (read-only)	\??\V:	sysx32.exe
File opened (read-only)	\??\B:	sysx32.exe
File opened (read-only)	\??\Q:	sysx32.exe
File opened (read-only)	\??\L:	sysx32.exe
File opened (read-only)	\??\O:	sysx32.exe
File opened (read-only)	\??\Y:	sysx32.exe
File opened (read-only)	\??\Z:	sysx32.exe
File opened (read-only)	\??\E:	sysx32.exe
File opened (read-only)	\??\I:	sysx32.exe
File opened (read-only)	\??\S:	sysx32.exe
File opened (read-only)	\??\U:	sysx32.exe
File opened (read-only)	\??\W:	sysx32.exe
File opened (read-only)	\??\H:	sysx32.exe
File opened (read-only)	\??\N:	sysx32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\curl.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\LaunchWinApp.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\rasautou.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\subst.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ttdinject.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\CloudNotifications.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\rdrleakdiag.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	sysx32.exe
File created	C:\Windows\SysWOW64\icsunattend.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\sdchange.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mstsc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\msfeedssync.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\winrshost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\iexpress.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\PkgMgr.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\SettingSyncHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\gpupdate.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\subst.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe	sysx32.exe
File created	C:\Windows\SysWOW64\sysx32.exe	sysx32.exe
File created	C:\Windows\SysWOW64\bthudtask.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\CredentialUIBroker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mmgaserver.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\autofmt.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\dllhost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\OneDriveSetup.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\OpenWith.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\tttracer.exe	sysx32.exe
File created	C:\Windows\SysWOW64\xwizard.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mshta.exe	sysx32.exe
File created	C:\Windows\SysWOW64\PackagedCWALauncher.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\tttracer.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\NETSTAT.EXE.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\ntprint.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\srdelayed.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	sysx32.exe
File created	C:\Windows\SysWOW64\SndVol.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\cmdl32.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\dxdiag.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp	sysx32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\chrome_installer.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp	sysx32.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	sysx32.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp	sysx32.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	sysx32.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	sysx32.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.tmp	sysx32.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe.tmp	sysx32.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	sysx32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.264_none_c1c396da5ea1410f\wbengine.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_10.0.19041.746_none_7aa85dbabd7172c7\f\PrintIsolationHost.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\r\MoUsoCoreWorker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1_none_8ced8f07ec5dee21\iexplore.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_10.0.19041.1_none_03029e85abc99279\bitsadmin.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1266_none_110072d23cfc00d3\UwfServicingShell.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ndkping-setup_31bf3856ad364e35_10.0.19041.1_none_6e5126083c2c0ea6\NDKPing.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\r\tpmvscmgrsvr.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.19041.1266_none_ba0845abb58c8bdd\r\BioIso.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.19041.1_none_fb337fa99fb8bc2f\BioIso.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417\appidtel.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\f\winload.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\nvspinfo.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-c..periencehost-broker_31bf3856ad364e35_10.0.19041.1_none_f4db83a870443aa2\CloudExperienceHostBroker.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\bcdboot.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\r\HvsiSettingsWorker.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.117_none_1db60e061b48335a\f\bash.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\cscript.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_9fcce199936290f4\upnpcont.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.264_none_6b6699b671c8f5a8\f\VmComputeAgent.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.546_none_01dba454b887ba53\r\fltMC.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\f\icsunattend.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.1_none_d910ec4e86b0552b\XBox.TCUI.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-attrib_31bf3856ad364e35_10.0.19041.1_none_72d3d2875ff2c886\attrib.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_58702f801199ce06\NetCfgNotifyObjectHost.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.423_none_15f557c171018574\r\CHXSmartScreen.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\r\auditpol.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\f\PerceptionSimulationService.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d_netiougc.exe_94123cfe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmui.exe	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-regsvr32_31bf3856ad364e35_10.0.19041.1_none_389cd5270341e0a8\regsvr32.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-xwizard-host-process_31bf3856ad364e35_10.0.19041.1_none_1939c8a90c4232f6\xwizard.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1_none_63e4d70575e86068\setup_wm.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1151_none_ae854961a06058b2\dmcertinst.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.84_none_65d0f4a4c6cd4975\f\Magnify.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_10.0.19041.572_none_90e9bab3cbbfd71a\r\djoin.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UNPUXHost.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_6c56c3651a911f63\waitfor.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0_iscsicli.exe_20e14d4f	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_b2e64138c9682982\InputSwitchToastHandler.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-e..taprotectioncleanup_31bf3856ad364e35_10.0.19041.789_none_b38221af158e5881\f\EDPCleanup.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.19041.1288_none_e25de9f9d964cdad\conhost.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\winresume.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\r\PinningConfirmationDialog.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\perfmon.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_10.0.19041.1_none_0d7764d82a75e629\BitLockerWizardElev.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe	sysx32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\f\MdmDiagnosticsTool.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\iisreset.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslhost_31bf3856ad364e35_10.0.19041.1151_none_329784a84ed43acd\wslhost.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\r\wmplayer.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\r\wmpshare.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorQuickStart.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.19041.746_none_3ed4d566b640ef5b\f\WmsUserAgent.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-browser-brokers_31bf3856ad364e35_11.0.19041.153_none_580ef30a6bb05e53\browser_broker.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\f\mofcomp.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\x86_netfx4-mscorsvw_exe_b03f5f7f11d50a3a_4.0.15805.0_none_c4e6302d398f7e04\mscorsvw.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_0565d41cd46ec20a\msinfo32.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\r\cmimageworker.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_512e9d368c70b758\iexplore.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_a5f487c01cc9bd1f\ntprint.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\r\rasautou.exe.tmp	sysx32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysx32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4976	2088	76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe	83
PID 2088 wrote to memory of 4976	2088	76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe	83
PID 2088 wrote to memory of 4976	2088	76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe	83
PID 2088 wrote to memory of 3152	2088	76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe	85
PID 2088 wrote to memory of 3152	2088	76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe	85

C:\Users\Admin\AppData\Local\Temp\76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe
"C:\Users\Admin\AppData\Local\Temp\76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\sysx32.exe
  C:\Windows\system32\sysx32.exe /scan
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\_76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe
  C:\Users\Admin\AppData\Local\Temp\_76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe
  2⤵
  - Executes dropped EXE
  PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
4.4MB

MD5
c7eb8d98666ec20e2e2f34019fe44715

SHA1
42e88731b6ca99c154df42c82ae4499f93c103f3

SHA256
535a6aba7c17e4f9ebf48478a621ce5e1ee23fef3a954cba2a833098f1f9da51

SHA512
ca64868269c2defe8c0bd7594fdfe457545474ded9c80d5cba5516a210c5e6b09f87092cd263221ceb8de113ec88c1fab05acd3f579d35be9340e62ed821938b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7.exe

Filesize
4.3MB

MD5
b458c7fbd2e2ee9da07bda9840b2a498

SHA1
7a9fe26674ae3bed2376c6112777ac5b169acead

SHA256
66195b35fbee32100c4ded83f5a5112f6ea10b5861e9a0dd78bb695ddc725cea

SHA512
370163925a375c9151d37b71c3a7868ba11997be0aa029cff193bc8d82d66513d141cca47b88e6537133c77df5bf1dbc849901fe91041ce8920ea2284f6b18be

Download Submit
C:\Windows\SysWOW64\sysx32.exe

Filesize
4.4MB

MD5
dc9e939ee449d36161d925e7afb69370

SHA1
db34c1776b889984c34e037817ec64d827470a87

SHA256
76f37775c0d1683e029d131526fcb9e9cf594f2e4908a2ec00920ee2583f04f7

SHA512
df1e3c15afcdc177950d4c7cfe154e5521b456c6dffbf1d339b6eb21efb70604fbbc13997dfe1f19d98957b9b150545969aa29a21a93a47335e48d79fab62109

Download Submit
memory/2088-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2088-536-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-821-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-822-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-1579-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-2687-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-2688-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-2689-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-2690-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads