d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364

General

Target

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
Size

7.1MB
MD5

ef16186ca98cac06a6f224a0c7532fd7
SHA1

08ef445e63e7beed27e7f1d8468e4902fa713815
SHA256

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364
SHA512

eff1289310fed5635037f7ae9564e88eae67620a15d2eff19d821f8d0283380a3528b50f11dfd2bfd78ae951d3a3ce996c980fa16c5cf6336fac84c5737aed23
SSDEEP

49152:9ggkEaSIHYezZiNo7IcyO82MzufjWJA6ongaHLvKLA8VgbKW2llxobcJOu2Qt7YW:Smapj+os45gaHrhdw3D7nTsR

Score

9^/10

discovery persistence ransomware

Malware Config

Signatures

Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

sysx32.exe_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

pid process

4868 sysx32.exe
2132 _d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

pid	process
4868	sysx32.exe
2132	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe"	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sysx32.exe

description	ioc	process
File opened (read-only)	\??\O:	sysx32.exe
File opened (read-only)	\??\U:	sysx32.exe
File opened (read-only)	\??\X:	sysx32.exe
File opened (read-only)	\??\Y:	sysx32.exe
File opened (read-only)	\??\P:	sysx32.exe
File opened (read-only)	\??\R:	sysx32.exe
File opened (read-only)	\??\T:	sysx32.exe
File opened (read-only)	\??\S:	sysx32.exe
File opened (read-only)	\??\Z:	sysx32.exe
File opened (read-only)	\??\H:	sysx32.exe
File opened (read-only)	\??\J:	sysx32.exe
File opened (read-only)	\??\K:	sysx32.exe
File opened (read-only)	\??\M:	sysx32.exe
File opened (read-only)	\??\N:	sysx32.exe
File opened (read-only)	\??\L:	sysx32.exe
File opened (read-only)	\??\Q:	sysx32.exe
File opened (read-only)	\??\V:	sysx32.exe
File opened (read-only)	\??\A:	sysx32.exe
File opened (read-only)	\??\B:	sysx32.exe
File opened (read-only)	\??\E:	sysx32.exe
File opened (read-only)	\??\G:	sysx32.exe
File opened (read-only)	\??\I:	sysx32.exe
File opened (read-only)	\??\W:	sysx32.exe

Drops file in System32 directory 64 IoCs

Processes:

sysx32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dxdiag.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\findstr.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wecutil.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\Fondue.exe	sysx32.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\SystemPropertiesHardware.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\unlodctr.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\WWAHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\dcomcnfg.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\openfiles.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	sysx32.exe
File created	C:\Windows\SysWOW64\rasautou.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\prevhost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ReAgentc.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	sysx32.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\gpupdate.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	sysx32.exe
File created	C:\Windows\SysWOW64\poqexec.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\TpmTool.exe	sysx32.exe
File created	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\autochk.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\InputSwitchToastHandler.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\Magnify.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\raserver.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\TpmTool.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\waitfor.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\dvdplay.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\mshta.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\perfmon.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountControlSettings.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\Com\comrepl.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\pcaui.exe.tmp	sysx32.exe
File created	C:\Windows\SysWOW64\reg.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\fontdrvhost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	sysx32.exe

Drops file in Program Files directory 64 IoCs

Processes:

sysx32.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	sysx32.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe.tmp	sysx32.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe.tmp	sysx32.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe.tmp	sysx32.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	sysx32.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe.tmp	sysx32.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	sysx32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp	sysx32.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	sysx32.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	sysx32.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	sysx32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	sysx32.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	sysx32.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	sysx32.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	sysx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	sysx32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	sysx32.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	sysx32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp	sysx32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe	sysx32.exe

Drops file in Windows directory 64 IoCs

Processes:

sysx32.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.746_none_4028b8f4f6c0b829\f\wpr.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.264_none_4a12028313046a9e\ntoskrnl.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UNPUXLauncher.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_2e15548db03a22c8\r\CheckNetIsolation.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_6331d348ae4a8fa9\TiFileFetcher.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wrp-integrity-client_31bf3856ad364e35_10.0.19041.1_none_e12fdac08aa3b840\sfc.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_openssh-client-components-onecore_31bf3856ad364e35_10.0.19041.1_none_b5ee49ccbbfbfddb\sftp.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.264_none_c1c396da5ea1410f\r\wbengine.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_10.0.19041.746_none_cabafbc5834ab93f\r\DisplaySwitch.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.746_none_c7c6fccae233c8b7\r\uwfux.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.1151_none_b46b739f71bbb8b7\f\bash.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.19041.1237_none_9d556cf140e198b4\f\RecoveryDrive.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\f\gpresult.exe	sysx32.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.746_none_735abbdbad8c902f\f\cmd.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\newdev.exe	sysx32.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\Microsoft.Uev.SyncController.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\WFS.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_10.0.19041.84_none_7c1f17a9e1beaf63\recdisc.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.19041.746_none_099c40ad55bc5d6c\r\AuthHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\f\MoUsoCoreWorker.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dlna-mdeserver_31bf3856ad364e35_10.0.19041.746_none_b4017de081b11e02\r\MDEServer.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\n\InputApp\TextInputHost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-xbox-gameoverlay_31bf3856ad364e35_10.0.19041.746_none_2703bed0ba809808\f\GamePanel.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\x86_addinprocess32_b77a5c561934e089_4.0.15805.0_none_429bcf7adb8e23ed\AddInProcess32.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_10.0.19041.1_none_2e482ad4cee11ead\regsvr32.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\CertEnrollCtrl.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_10.0.19041.1_none_77b40a18a99e4f02\csc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.19041.1_none_d67c2e3d05659825\winrshost.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-capturepicker.appxmain_31bf3856ad364e35_10.0.19041.423_none_12ca604b48f8d3fb\f\CapturePicker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..daryauthfactor-task_31bf3856ad364e35_10.0.19041.746_none_a9ff72b1a43fd663\DeviceCredentialDeployment.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.1288_none_23aa03725ec9354a\f\wuauclt.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d\wininit.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_94cfabd8a89f0b96\f\runonce.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.84_none_2d21e26a18d595c7\r\directxdatabaseupdater.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.1023_none_5c93ef2449c89609\securekernel.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..client-ui-wscollect_31bf3856ad364e35_10.0.19041.1_none_bfa47510d0e31e28\WSCollect.exe	sysx32.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_e73f0197262d9fec\TiWorker.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1_none_6c221eaccd6c91ae\msinfo32.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_be8a8ad4892e651d\f\printui.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_d93ee361fbbc8f0a\XGpuEjectDialog.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.19041.928_none_4621828876257e43\n\certreq.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-edge-microsoftedgesh_31bf3856ad364e35_10.0.19041.1_none_7e963f23aba941dd\MicrosoftEdgeSH.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\r\hvsimgr.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\f\fixmapi.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\AuditShD.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_a2fa28d9db4c0081\w32tm.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1_none_9be54a615e8b9e53\autofmt.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.117_none_7879d5035b0edfac\r\nltest.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_623e57cb80e184b5\PasswordOnWakeSettingFlyout.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\aspnetca.exe.tmp	sysx32.exe
File created	C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_9627a04e40f9f001\f\SearchIndexer.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c\appidtel.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.173_none_2dc175215ae8ec39\winload.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.173_none_f837263e7fdd508f\r\sppsvc.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wifinetworkmanager_31bf3856ad364e35_10.0.19041.84_none_6461f879a9c4a23e\r\wifitask.exe	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.662_none_e341f52007f6d1a8\r\wecutil.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe	sysx32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe.tmp	sysx32.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe	sysx32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sysx32.exed1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

description	pid	process	target process
PID 1484 wrote to memory of 4868	1484	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	sysx32.exe
PID 1484 wrote to memory of 4868	1484	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	sysx32.exe
PID 1484 wrote to memory of 4868	1484	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	sysx32.exe
PID 1484 wrote to memory of 2132	1484	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
PID 1484 wrote to memory of 2132	1484	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
PID 1484 wrote to memory of 2132	1484	d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe	_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

C:\Users\Admin\AppData\Local\Temp\d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
"C:\Users\Admin\AppData\Local\Temp\d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\sysx32.exe
  C:\Windows\system32\sysx32.exe /scan
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
  C:\Users\Admin\AppData\Local\Temp\_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe
  2⤵
  - Executes dropped EXE
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
7.1MB

MD5
05fdaab17109dc039a70261ef9dd9523

SHA1
0a5e0c8b641d4bfc75c1507a09889bea03841398

SHA256
e6c7d29643dd6fc3a930eb5716ea93fc3e67d8cb19d45d67916e997c3548f460

SHA512
67794b920e3e5c50be27f5107b7b312e02d67afa501432a1050a125bda528ec87e58171635147945f70b4c03dc320b3561a06efda39f6a603597f57200a1a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364.exe

Filesize
7.1MB

MD5
6aff99dfc1633fe190f57950d2babd58

SHA1
03e1d84c56e35e570e6be6f4b526b8cceaa670be

SHA256
34b557804a29a320eade8fc8617728ece81b656a3afca02dd7c3a851a9d29b71

SHA512
e2b9583d7061086fd9fc84e31404db872c5737fe5411c222b4bb99480c0248c414d1ffc4bc2ce854c16e9604e909c3ede53f84c1046c052c0ea44463a31f52e4

Download Submit
C:\Windows\SysWOW64\sysx32.exe

Filesize
7.1MB

MD5
ef16186ca98cac06a6f224a0c7532fd7

SHA1
08ef445e63e7beed27e7f1d8468e4902fa713815

SHA256
d1e5b9629978700d42b095a7f1a1526b13cf8bf679fffd1005a0daec2af21364

SHA512
eff1289310fed5635037f7ae9564e88eae67620a15d2eff19d821f8d0283380a3528b50f11dfd2bfd78ae951d3a3ce996c980fa16c5cf6336fac84c5737aed23

Download Submit
memory/1484-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1484-164-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-908-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-909-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-1783-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-2691-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-2692-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-2693-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-2694-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads