e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0

Analysis

max time kernel
96s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe
Size

5.4MB
MD5

fcd957f6c522e305d02ea7242bc975d2
SHA1

6d139140d57e6f02d7352c6d14bb44c8ee2e5832
SHA256

e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0
SHA512

a29cdfc6215c918dab47b31de145c508080849ed37eec5579e6eba5f6fea31dea6d275e5bf7190726a432109ef79790b0ed1de3b64b45fb3bb8bec59da51ab8f
SSDEEP

49152:9KgkEaSVK2MtENoFFYHJYgb47QC3GZtp9GY568MNwu4acTC3ZvFXkP5VugzsIYU:8mahrbQEHcTeqqI3

Score

9^/10

discovery persistence ransomware

Malware Config

Signatures

Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2880	sysx32.exe
4116	_e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe"	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	sysx32.exe
File opened (read-only)	\??\S:	sysx32.exe
File opened (read-only)	\??\X:	sysx32.exe
File opened (read-only)	\??\A:	sysx32.exe
File opened (read-only)	\??\B:	sysx32.exe
File opened (read-only)	\??\G:	sysx32.exe
File opened (read-only)	\??\P:	sysx32.exe
File opened (read-only)	\??\Q:	sysx32.exe
File opened (read-only)	\??\T:	sysx32.exe
File opened (read-only)	\??\Z:	sysx32.exe
File opened (read-only)	\??\K:	sysx32.exe
File opened (read-only)	\??\M:	sysx32.exe
File opened (read-only)	\??\O:	sysx32.exe
File opened (read-only)	\??\L:	sysx32.exe
File opened (read-only)	\??\N:	sysx32.exe
File opened (read-only)	\??\R:	sysx32.exe
File opened (read-only)	\??\U:	sysx32.exe
File opened (read-only)	\??\E:	sysx32.exe
File opened (read-only)	\??\I:	sysx32.exe
File opened (read-only)	\??\J:	sysx32.exe
File opened (read-only)	\??\V:	sysx32.exe
File opened (read-only)	\??\W:	sysx32.exe
File opened (read-only)	\??\Y:	sysx32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cmstp.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\replace.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wowreg32.exe	sysx32.exe
File created	C:\Windows\SysWOW64\at.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\HOSTNAME.EXE	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\BackgroundTransferHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\icacls.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\runonce.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\InstallShield\setup.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	sysx32.exe
File created	C:\Windows\SysWOW64\sxstrace.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\where.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\charmap.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\nslookup.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mshta.exe	sysx32.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	sysx32.exe
File created	C:\Windows\SysWOW64\odbcconf.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	sysx32.exe
File created	C:\Windows\SysWOW64\unlodctr.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	sysx32.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\autofmt.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\calc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\dvdplay.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\winrshost.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\poqexec.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\autochk.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\iexpress.exe	sysx32.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\TapiUnattend.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaProxy.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe.tmp	sysx32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe.tmp	sysx32.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	sysx32.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	sysx32.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	sysx32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	sysx32.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	sysx32.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp	sysx32.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	sysx32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	sysx32.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	sysx32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1_none_a239a51f957f6b65\autochk.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\r\SpatialAudioLicenseSrv.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.546_none_12e3d70535675c5f\dllhost.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.153_none_70cb6ca43c818606\cmdiag.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_119b1e415d838a28\r\autoconv.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-findstr_31bf3856ad364e35_10.0.19041.1_none_dd2098e5f9122dff\findstr.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\r\fixmapi.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.19041.264_none_c813a1965bacf6d2\SystemSettingsBroker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\hvsirpcd.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\nltest.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.1_none_4247919c34819e8e\pcaui.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_91c1d6c40350b1b6\appcmd.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_f92e72a6a03c2c5a\prevhost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\r\usocoreworker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\8e36994536e5d701189b00001815341f.iisreset.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_1fe6ae13cb971ac8\netsh.exe.tmp	sysx32.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_d7b5820f5a89765b\r\agentactivationruntimestarter.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontview_31bf3856ad364e35_10.0.19041.1_none_fa551ac355d48c7f\fontview.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.746_none_a47144c464d15475\f\WSReset.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\TCPSVCS.EXE.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.1_none_8b3ee1f81086d0e3\ReAgentc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoftwindows-undockeddevkit.appxmain_31bf3856ad364e35_10.0.19041.488_none_7201e1dc944d1765\r\UndockedDevKit.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_installutil_b03f5f7f11d50a3a_4.0.15805.0_none_d67d06ef0c4a2e1c\InstallUtil.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\r\Taskmgr.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.264_none_c1c396da5ea1410f\wbengine.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\eshell.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.746_none_ff52abd5cb47bbe1\f\lpremove.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\r\SyncHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-regsvr32_31bf3856ad364e35_10.0.19041.1_none_389cd5270341e0a8\regsvr32.exe	sysx32.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\hcsdiag.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..services-core-files_31bf3856ad364e35_10.0.19041.1_none_45dc4032c659ae7c\dsamain.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.19041.84_none_027c502c6e331223\f\SppExtComObj.Exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7a559100246cff2b\r\CloudNotifications.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_d7b5820f5a89765b\f\agentactivationruntimestarter.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_ae5ec9e59abc05e6\SndVol.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\f\imecfmui.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..iodatamodel-library_31bf3856ad364e35_10.0.19041.264_none_52f277f293540161\WinBioDataModelOOBE.exe	sysx32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.1_none_04930b2bd1f9871f\Microsoft.AsyncTextService.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.19041.746_none_e540b68b09558f5a\LockScreenContentServer.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.928_none_0f531ea0d233243b\DiagnosticsHub.StandardCollector.Service.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\f\nltest.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\MusNotificationUx.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.264_none_e85c49c0793f9f24\Win32WebViewHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_c26c8624c595ae48\GameBarPresenceWriter.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.746_none_556ec3cb05e3ec5a\r\OpenWith.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\r\WWAHost.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1266_none_7e2b6be969016c27\r\licensingdiag.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appresolverux.appxmain_31bf3856ad364e35_10.0.19041.423_none_df344b9fe5390f25\AppResolverUX.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\audiodg.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_10.0.19041.1_none_03029e85abc99279\bitsadmin.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..ckgroundmediaplayer_31bf3856ad364e35_10.0.19041.1266_none_30abd5bf5f509a14\Windows.Media.BackgroundPlayback.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.19041.1237_none_9d556cf140e198b4\f\RecoveryDrive.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..management-omadmprc_31bf3856ad364e35_10.0.19041.844_none_93c03ca99a47dc8f\r\omadmprc.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..daryauthfactor-task_31bf3856ad364e35_10.0.19041.746_none_a9ff72b1a43fd663\f\DeviceCredentialDeployment.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0_iscsicli.exe_20e14d4f.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-s..chservice-component_31bf3856ad364e35_10.0.19041.1_none_638e20742b3c9c9a\SpeechRuntime.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\ndadmin.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_ea34e25ca28496c3\tzutil.exe.tmp	sysx32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2880	5028	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe	83
PID 5028 wrote to memory of 2880	5028	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe	83
PID 5028 wrote to memory of 2880	5028	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe	83
PID 5028 wrote to memory of 4116	5028	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe	84
PID 5028 wrote to memory of 4116	5028	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe	84
PID 5028 wrote to memory of 4116	5028	e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe	84

C:\Users\Admin\AppData\Local\Temp\e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe
"C:\Users\Admin\AppData\Local\Temp\e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\sysx32.exe
  C:\Windows\system32\sysx32.exe /scan
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\_e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe
  C:\Users\Admin\AppData\Local\Temp\_e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
5.4MB

MD5
542eb3041b09a31b67cdbc9be0024e32

SHA1
8fcac6429a6573681e246880a1b965734557295c

SHA256
0d3b333c8079abcda1cd5f41d3f3e083fd2c7152d3498181ff1e2b53aa9f1573

SHA512
965a84d6fae6753fc634c1aa7ed2a4de30dccc94102fae9fdf1078093cf98568ef1e6e3ff6351d56090b3fa4f1280ddf4b775560a619520642ea6702eb927d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0.exe

Filesize
5.4MB

MD5
75d6e3f7c54bf4bffbdd1a5a74f6bc4b

SHA1
b818728b564bd0485073241590729f3338078a34

SHA256
ccc913161c7b9dcf6956a12467ad6ca6ea795bb473a1c17abae42b09096963e3

SHA512
280e650a24c12059bf3bbdff12fc2a795fa430a6eec40e70944d0b895106f28e972ed2ba1b75715c84b92fb93d99626f11873d247a723f04d7ac136fddb0d1ae

Download Submit
C:\Windows\SysWOW64\sysx32.exe

Filesize
5.4MB

MD5
fcd957f6c522e305d02ea7242bc975d2

SHA1
6d139140d57e6f02d7352c6d14bb44c8ee2e5832

SHA256
e7859ca1dcde7419306d555c1080e69ed077671c07c0d916656cb966045b07c0

SHA512
a29cdfc6215c918dab47b31de145c508080849ed37eec5579e6eba5f6fea31dea6d275e5bf7190726a432109ef79790b0ed1de3b64b45fb3bb8bec59da51ab8f

Download Submit
memory/2880-1014-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-612-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-1797-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-2691-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-2692-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-2693-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-2694-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-2695-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5028-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5028-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads