sysprep.exe

  • File Path: C:\Windows\system32\Sysprep\sysprep.exe
  • Description: System Preparation Tool

Screenshot

sysprep.exe

Hashes

Type Hash
MD5 2C4DA745709076C61C11BE5B60B489EF
SHA1 548F63F71A0E1852BA13556362BFA7B4DC8F1A90
SHA256 71EF84A9A310E34483CE3D40D805743F2D59DE1D3ADAD3F1639A6CFDAAE08EFD
SHA384 812A3B88C2C9CCEB2797670437A0C1729F2855C3952E7E3D56A46984CEFF690828D222BA4DA69081F7F2748C407B4DA5
SHA512 06D08ABA7EB5568706C422DF2501112114C453AC6B899A2B8626D0B183A41578844C47F61CE34FB1A87281C1E5EDCF9DF37A602B88F49682FC45F07DE4B6AD3F
SSDEEP 12288:FHa9tyNNPsBzdhC8p82hnxa+Xoz4ztWYhaBTrGqdV/3z35oJnJgi:FHa9ty3PsNdhHp82JYv7NGqdd35o

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\System32\Sysprep\en-US\sysprep.exe.mui File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows\System32\Sysprep\Panther\diagerr.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\diagwrn.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\setupact.log File
(RW-) C:\Windows\System32\Sysprep\Panther\setuperr.log File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1397_none_de7645305346d5dc File
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\SetupLogSection Section
\Sessions\2\Windows\Theme4283305886 Section
\Windows\Theme1956823608 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\Sysprep\sysprep.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sysprep.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of sysprep.exe being misused. While sysprep.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_sysprep_appdata.yml title: Sysprep on AppData Folder DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml - '\sysprep.exe' DRL 1.0
malware-ioc 2021_T2 Sysprep © ESET 2014-2018
signature-base apt_codoso.yar $c3 = “\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c4 = “\sysprep\CRYPTBASE.dll” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c7 = “\sysprep” fullword wide CC BY-NC 4.0
signature-base apt_hellsing_kaspersky.yar $a9 = “C:\Windows\System32\sysprep\sysprep.exe” wide CC BY-NC 4.0
signature-base apt_thrip.yar $s1 = “C:\WINDOWS\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\SysNative\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_win_plugx.yar $s3 = “l%s\sysprep\CRYPTBASE.DLL” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s7 = “%s\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “%systemroot%\system32\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s4 = “/c wusa %ws /extract:%%windir%%\system32\sysprep” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s6 = “loadFrom="%systemroot%\system32\sysprep\cryptbase.DLL"” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.