sysprep.exe
- File Path:
C:\WINDOWS\system32\Sysprep\sysprep.exe - Description: System Preparation Tool
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 7A33B4DE9B06EB39A651AAB12D9103AD |
| SHA1 | C8F0341267FC832BA5D30D1769264FBAC7CF77C1 |
| SHA256 | C12408B6FD84CD48CF9B940EDBE145AE9230AFEDB54A9288B34DD6836D0B2BAB |
| SHA384 | 9B6B7CB6600A2355B9F2FAD586CC5488C74DDEAD38CC80CD028136D7D66A46130BC921223AD15C81E2A5AE087BFCD856 |
| SHA512 | B1DF62443292FAD318A8E2406FCC87115F558D23D024CA681A65BE9174A65ACDB7C1F166E6B3849A5A4FD49A6E2BCD396C0259423E89AF56E4D2AD1ED3EB4B81 |
| SSDEEP | 12288:sr3r5H8ceIYBDhcBhc64Eb5x3wVbxPG0a4bEk9Qx9Fgo/YFzbfd9:Q5H3KhcBhr4ew2zx9Fgo/kbl9 |
| IMP | 1FA50BE904E9350FFBA20E4BE519CC24 |
| PESHA1 | 60EAF5BFDF168BCFE41EDF7770CEB1B1A893BF86 |
| PE256 | F1076F9A02D89C7F834ECBD0C3F79067F73514D6490DEF0CAD1A4E518EDDE370 |
Runtime Data
Window Title:
System Preparation Tool 3.14
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\Sysprep\en-US\sysprep.exe.mui | File |
| (R-D) C:\Windows\SystemResources\imageres.dll.mun | File |
| (RW-) C:\Windows\System32 | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\diagerr.xml | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\diagwrn.xml | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\setupact.log | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\setuperr.log | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\SetupLogSection | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\SessionImmersiveColorPreference | Section |
| \Sessions\2\Windows\Theme1077709572 | Section |
| \Windows\Theme3461253685 | Section |
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\ADVAPI32.dll |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\System32\msvcrt.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\RPCRT4.dll |
| C:\WINDOWS\System32\sechost.dll |
| C:\WINDOWS\system32\Sysprep\sysprep.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: sysprep.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/c12408b6fd84cd48cf9b940edbe145ae9230afedb54a9288b34dd6836d0b2bab/detection
Possible Misuse
The following table contains possible examples of sysprep.exe being misused. While sysprep.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_sysprep_appdata.yml | title: Sysprep on AppData Folder |
DRL 1.0 |
| sigma | proc_creation_win_susp_sysprep_appdata.yml | description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) |
DRL 1.0 |
| sigma | proc_creation_win_susp_sysprep_appdata.yml | - '\sysprep.exe' |
DRL 1.0 |
| malware-ioc | 2021_T2 | Sysprep |
© ESET 2014-2018 |
| signature-base | apt_codoso.yar | $c3 = “\sysprep\sysprep.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $c4 = “\sysprep\CRYPTBASE.dll” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $c7 = “\sysprep” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_hellsing_kaspersky.yar | $a9 = “C:\Windows\System32\sysprep\sysprep.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s1 = “C:\WINDOWS\system32\sysprep\cryptbase.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s2 = “C:\Windows\SysNative\sysprep\cryptbase.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s2 = “C:\Windows\system32\sysprep\cryptbase.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $s3 = “l%s\sysprep\CRYPTBASE.DLL” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $s7 = “%s\sysprep\sysprep.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s3 = “%systemroot%\system32\sysprep\sysprep.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s4 = “/c wusa %ws /extract:%%windir%%\system32\sysprep” fullword wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s6 = “loadFrom="%systemroot%\system32\sysprep\cryptbase.DLL"” fullword ascii | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.