24020920ce2ac2ff349d60347fa3efb5d1d243be1af680da7cf47923c5f2ad5a

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 13:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d48539c04544c70e0b70214a869d18d0N.exe
Size

130KB
MD5

d48539c04544c70e0b70214a869d18d0
SHA1

bd1e7c77d03fc7043c1ca65f5b7044ea61f4a9c3
SHA256

24020920ce2ac2ff349d60347fa3efb5d1d243be1af680da7cf47923c5f2ad5a
SHA512

80ea12b7c5449b1ebcf0f3b587721f4d8108227d7b47bf529906938c782b6774fa7cb681d8c3a01460396d0ddf5848b2307c2b1b61c4ed17ce250b946f5f5a9e
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8IZuEd4HZKMSs9w7WsLhEC7ptUHJQWJ9:enaypQSo7Z54HZKMx4dhECVO

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4234) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3564-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000234e8-2.dat	upx
behavioral2/files/0x001400000002291a-6.dat	upx
behavioral2/memory/3564-1742-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationProvider.resources.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	d48539c04544c70e0b70214a869d18d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d48539c04544c70e0b70214a869d18d0N.exe

C:\Users\Admin\AppData\Local\Temp\d48539c04544c70e0b70214a869d18d0N.exe
"C:\Users\Admin\AppData\Local\Temp\d48539c04544c70e0b70214a869d18d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini.tmp

Filesize
130KB

MD5
3abfa983cf7382649e1616198e43bfea

SHA1
ccb33b8f7d972cc6318c317ff49823be0e0819bf

SHA256
2c4ea31595b8ad68d75110befcd4080babed57a7e30fc3344cea896859702ff2

SHA512
b914fd328cb300a89b22c3f1abc3f0af8df65229ef067b2de8813653fbc899807bdaa4c70dd9e8c5af4d792de1527220b67ee0029422c7ba8b00c571ac40401a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
229KB

MD5
bbd2c2518debc09559a0dcacd094ee20

SHA1
ec6ed4a5362a51305c874dcb44cdb056edf463db

SHA256
5e9028312724cef2940607eb42631e3b418eb68ff0d4210b50c49b36774cdea7

SHA512
82725f4201953e76d14076c23ca886497357e3b2ce9b1e12698b21243b0adda6e5a0606c6ee4938895b96d52e803569f55af416d24078e21419325149922524f

Download Submit
memory/3564-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3564-1742-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download