2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
Size

66KB
MD5

6e53ef5de94da16f8b676b1b52c3498a
SHA1

4247c0801fd64cd08bc2d841558934b69700478d
SHA256

2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a
SHA512

6ddee2349594ef2f304a5bab4f95baf0bbab75b7471299f7abb35e8e42b468512953a438a126790b774a00bf0a19c2e77dd51def293bb37843812ee1f0d4360e
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8IZf2XcxUykUyl:KQSo7Zf2XRki

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (5093) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2352-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233d6-2.dat	upx
behavioral2/files/0x0014000000022909-6.dat	upx
behavioral2/memory/2352-1106-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sw.pak.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\vulkan-1.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_200_percent.pak.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe

C:\Users\Admin\AppData\Local\Temp\2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe
"C:\Users\Admin\AppData\Local\Temp\2a0971cc7020f2b839b37b82197d0f0a0d856504becc77c36f1e10a7fb9e514a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
66KB

MD5
23d787a62dc765757ba0c1eeea4dc46c

SHA1
9d49309ec4b8570e3e3b996a9fff255cfb8f4e93

SHA256
dde28cc7ebafaf2ae9a3ce789a5686ad4506edc32af4a671842db7ab519e4519

SHA512
cfc99a2b2e50bb868a07d4a6322effb4c6831fb97ac6273a80fbed17b97e35b4e272b9331c9373e87cfa811cba413439da8ad171f7eb49d65036b3c2dc36c6ab

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
165KB

MD5
0cde5b0a4bec18627ef40453e0eff6d9

SHA1
4d17172e4f286c5227a3dc2bb893d5c87cba97b3

SHA256
55237b868c97700e50f86c2c49b5d4b18df79ed15812ffe6aaca02510a761377

SHA512
01fc1fc12aab5f8515fd815a0e1f600b7552a8859be4e57fff9332c1e3e1362c14b8178ac082ec329b55a1b67394ba2147c71119e16a76b522905e68403fd93d

Download Submit
memory/2352-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2352-1106-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download