sysprep.exe

  • File Path: C:\Windows\system32\Sysprep\sysprep.exe
  • Description: System Preparation Tool

Screenshot

sysprep.exe

Hashes

Type Hash
MD5 C5E1B06428599844B7A5F68569BC9B2C
SHA1 77F1251781EA5ADB08D9562EEE4D7F8A7E75464C
SHA256 13D75313A9C011214F7C62EF659E441ABE4C80D5F85FF559C0ABCFDB36C44F10
SHA384 9F0A0DEDEF8CC11CF7FB04721D769FBB23B66653E0BF321FB8514605E46AA1122BB0F6AAEFCFBE365B82D9A20CFC99CC
SHA512 18EE126C254C87F4ACEF5D5ACFFA9AF5329433C7445D9405E48052C869FBEAB53ED2106245B3140D144C1DFDF832FB2140838D8C2528641DDA6029F15EF0E2C8
SSDEEP 12288:NiwH2arwj4gAiiLSHp4Kh15ogt6ldY1f661Ep:NiUTgAiaSuMl6ea
IMP 26CECC77A14868FEBC547A3A952471C1
PESHA1 5826A62D2704F84A344A2309B280A6272EEFEFE4
PE256 939B3B9811A5FC7244B296EA1BA2D1CCD9FABC09C6A663B7FD030909B2698FB1

Runtime Data

Window Title:

System Preparation Tool 3.14

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\Sysprep\en-US\sysprep.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows\System32\Sysprep\Panther\diagerr.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\diagwrn.xml File
(RW-) C:\Windows\System32\Sysprep\Panther\setupact.log File
(RW-) C:\Windows\System32\Sysprep\Panther\setuperr.log File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\SetupLogSection Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\Sysprep\sysprep.exe
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sysprep.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/13d75313a9c011214f7c62ef659e441abe4c80d5f85ff559c0abcfdb36c44f10/detection

Possible Misuse

The following table contains possible examples of sysprep.exe being misused. While sysprep.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_sysprep_appdata.yml title: Sysprep on AppData Folder DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) DRL 1.0
sigma proc_creation_win_susp_sysprep_appdata.yml - '\sysprep.exe' DRL 1.0
malware-ioc 2021_T2 Sysprep © ESET 2014-2018
signature-base apt_codoso.yar $c3 = “\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c4 = “\sysprep\CRYPTBASE.dll” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $c7 = “\sysprep” fullword wide CC BY-NC 4.0
signature-base apt_hellsing_kaspersky.yar $a9 = “C:\Windows\System32\sysprep\sysprep.exe” wide CC BY-NC 4.0
signature-base apt_thrip.yar $s1 = “C:\WINDOWS\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\SysNative\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s2 = “C:\Windows\system32\sysprep\cryptbase.dll” fullword ascii CC BY-NC 4.0
signature-base apt_win_plugx.yar $s3 = “l%s\sysprep\CRYPTBASE.DLL” fullword wide CC BY-NC 4.0
signature-base apt_win_plugx.yar $s7 = “%s\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s3 = “%systemroot%\system32\sysprep\sysprep.exe” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s4 = “/c wusa %ws /extract:%%windir%%\system32\sysprep” fullword wide CC BY-NC 4.0
signature-base exploit_uac_elevators.yar $s6 = “loadFrom="%systemroot%\system32\sysprep\cryptbase.DLL"” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.