sysprep.exe

  • File Path: C:\Windows\system32\Sysprep\sysprep.exe
  • Description: System Preparation Tool

Screenshot

sysprep.exe

Hashes

Type Hash
MD5 6BD9AECD5D43133E4046DD6EE22611D3
SHA1 E7F75F7EE4A6359CEFC20F3EF5662119CBD5EF2A
SHA256 C723D7DCB559386D16BE57498185FCF17FF8F68FF952F4ADD84CEF6ECB58D672
SHA384 3C09174724DE285110D0E3BA20E39D10441A1B5CC06A1EC9AA5BC1BC776365B39249E54442B788221A0564FCBBA06EEC
SHA512 B208D3348F65D2C696973874F78E9A700EA036B5A764DBA2D44067876C6DEF251F5AE410840C8548962CE6C17C8CB2A60A5FDFFFC5D3BB6F1D4284EF32FED62A
SSDEEP 12288:+e62N1AcIjxMCN8/Uq54/t4KAWoiQ6Ppa+syKYnk3:+uNqqCe/f5u2fj6PuynnY
IMP 26CECC77A14868FEBC547A3A952471C1
PESHA1 1E93936687E2B996FAE4F44890DAE43EEC8CF94E
PE256 47F6202E283DDE4BC50165F188C8B6FC136DBAF31362AB1A0ADD5B1147996ED9

Runtime Data

Window Title:

System Preparation Tool 3.14

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\Sysprep\en-US\sysprep.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows\System32\Sysprep\Panther\diagerr.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\diagwrn.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\setupact.log File
(RW-) C:\Windows\System32\Sysprep\Panther\setuperr.log File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\SetupLogSection Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\Sysprep\sysprep.exe
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sysprep.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/c723d7dcb559386d16be57498185fcf17ff8f68ff952f4add84cef6ecb58d672/detection

Possible Misuse

The following table contains possible examples of sysprep.exe being misused. While sysprep.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_sysprep_appdata.yml title: Sysprep on AppData Folder DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml - '\sysprep.exe' DRL 1.0
malware-ioc 2021_T2 Sysprep © ESET 2014-2018
signature-base apt_codoso.yar $c3 = “\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c4 = “\sysprep\CRYPTBASE.dll” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c7 = “\sysprep” fullword wide CC BY-NC 4.0
signature-base apt_hellsing_kaspersky.yar $a9 = “C:\Windows\System32\sysprep\sysprep.exe” wide CC BY-NC 4.0
signature-base apt_thrip.yar $s1 = “C:\WINDOWS\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\SysNative\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_win_plugx.yar $s3 = “l%s\sysprep\CRYPTBASE.DLL” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s7 = “%s\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “%systemroot%\system32\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s4 = “/c wusa %ws /extract:%%windir%%\system32\sysprep” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s6 = “loadFrom="%systemroot%\system32\sysprep\cryptbase.DLL"” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.