sysprep.exe

  • File Path: C:\WINDOWS\system32\Sysprep\sysprep.exe
  • Description: System Preparation Tool

Screenshot

sysprep.exe

Hashes

Type Hash
MD5 7A33B4DE9B06EB39A651AAB12D9103AD
SHA1 C8F0341267FC832BA5D30D1769264FBAC7CF77C1
SHA256 C12408B6FD84CD48CF9B940EDBE145AE9230AFEDB54A9288B34DD6836D0B2BAB
SHA384 9B6B7CB6600A2355B9F2FAD586CC5488C74DDEAD38CC80CD028136D7D66A46130BC921223AD15C81E2A5AE087BFCD856
SHA512 B1DF62443292FAD318A8E2406FCC87115F558D23D024CA681A65BE9174A65ACDB7C1F166E6B3849A5A4FD49A6E2BCD396C0259423E89AF56E4D2AD1ED3EB4B81
SSDEEP 12288:sr3r5H8ceIYBDhcBhc64Eb5x3wVbxPG0a4bEk9Qx9Fgo/YFzbfd9:Q5H3KhcBhr4ew2zx9Fgo/kbl9
IMP 1FA50BE904E9350FFBA20E4BE519CC24
PESHA1 60EAF5BFDF168BCFE41EDF7770CEB1B1A893BF86
PE256 F1076F9A02D89C7F834ECBD0C3F79067F73514D6490DEF0CAD1A4E518EDDE370

Runtime Data

Window Title:

System Preparation Tool 3.14

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\Sysprep\en-US\sysprep.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\System32\Sysprep\Panther\diagerr.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\diagwrn.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\setupact.log File
(RW-) C:\Windows\System32\Sysprep\Panther\setuperr.log File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\SetupLogSection Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\sechost.dll
C:\WINDOWS\system32\Sysprep\sysprep.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sysprep.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/c12408b6fd84cd48cf9b940edbe145ae9230afedb54a9288b34dd6836d0b2bab/detection

Possible Misuse

The following table contains possible examples of sysprep.exe being misused. While sysprep.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_sysprep_appdata.yml title: Sysprep on AppData Folder DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml - '\sysprep.exe' DRL 1.0
malware-ioc 2021_T2 Sysprep © ESET 2014-2018
signature-base apt_codoso.yar $c3 = “\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c4 = “\sysprep\CRYPTBASE.dll” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c7 = “\sysprep” fullword wide CC BY-NC 4.0
signature-base apt_hellsing_kaspersky.yar $a9 = “C:\Windows\System32\sysprep\sysprep.exe” wide CC BY-NC 4.0
signature-base apt_thrip.yar $s1 = “C:\WINDOWS\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\SysNative\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_win_plugx.yar $s3 = “l%s\sysprep\CRYPTBASE.DLL” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s7 = “%s\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “%systemroot%\system32\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s4 = “/c wusa %ws /extract:%%windir%%\system32\sysprep” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s6 = “loadFrom="%systemroot%\system32\sysprep\cryptbase.DLL"” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.