6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
Size

42KB
MD5

69a04a278f11ca13f83f8e3547158c35
SHA1

de14fdaaf5351b151b72bdde68c355dc4243b384
SHA256

6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c
SHA512

5167dfa07ff7e9ea48ebb58bd15e4f744137e5e1b07e95d25dbfe349410e77a3ae6ecf6d542aa3543a97685e7d565c0bf2e71605f94b026dd4d068258bf2140b
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBR:V7Zf/FAxTWoJJZENTBR

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023478-2.dat	upx
behavioral2/files/0x00080000000234cf-6.dat	upx
behavioral2/memory/4820-1788-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\ro.pak.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sw.pak.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe

C:\Users\Admin\AppData\Local\Temp\6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe
"C:\Users\Admin\AppData\Local\Temp\6097cff5631e773e354d5e532051d358efa4cc72848f6f9f7a64bf3c1116615c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini.tmp

Filesize
43KB

MD5
2ca43349e76a303b58eb12c1b9a31920

SHA1
db665570a276fc9db9e13b48eb0f463c665fb904

SHA256
90951be67cb857ac6ca743a5e62c9d178732e372b538d36c3034b116cbecd6c4

SHA512
7af3374731bf7c30376c3e111530b365042735efa8878cf6e5efcdfaac5681f1a16237919d165fd59c07fb2a201ea980107dc140a244ebe0cfad83067dccb139

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
93517fbf5aea280d22e932bac2cf8b4a

SHA1
d7be9a8df0661b36f911157e4147cf5ebfc85f4e

SHA256
d533d6e11a8ba4cf0d02f8e7897ffe71edf3473dc6da1aa272bd9174c6db3193

SHA512
6e8fd734220944a318262a47ff72eeaeb2763c38fb6e01d7052a67e3be898e7711ba8f07d59ffb45bbee8136fdba09b2b6a961128f78e34f4ec6adeca8e70b37

Download Submit
memory/4820-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4820-1788-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download