48e80c1a45ff4bdeb0a175a74cc4383b7a4e91075f3013a6ff441b1d081faa4c

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 15:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db9575557777d38690a769a0f6c6a870N.exe
Size

54KB
MD5

db9575557777d38690a769a0f6c6a870
SHA1

4953688b383023e72b43d656371e2966e49275c3
SHA256

48e80c1a45ff4bdeb0a175a74cc4383b7a4e91075f3013a6ff441b1d081faa4c
SHA512

a2dddab6b78a568e5a53e7ba2a369fff6dc1b9215bbb42b2f8f11bcc37a60ead5cee3027ee83c6383e7156e143ca0e114d3f727d92e3d1aef3446df1e83291a2
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNyN6:V7Zf/FAxTWoJJZENTNyN6

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4259) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/404-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002345b-2.dat	upx
behavioral2/files/0x000600000001e6e4-6.dat	upx
behavioral2/memory/404-1784-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\libEGL.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\pt-BR.pak.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sr.pak.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	db9575557777d38690a769a0f6c6a870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	db9575557777d38690a769a0f6c6a870N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db9575557777d38690a769a0f6c6a870N.exe

C:\Users\Admin\AppData\Local\Temp\db9575557777d38690a769a0f6c6a870N.exe
"C:\Users\Admin\AppData\Local\Temp\db9575557777d38690a769a0f6c6a870N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini.tmp

Filesize
54KB

MD5
54e063d354a5860a6002090c013d8058

SHA1
239fe2d1eccee64a3dbef59f62451434825084b5

SHA256
47dc5ed22d33060c369bb231227ed802917b49cde086790306dce2a7f3c2db32

SHA512
1f50125296d99a46d2c05ecba944f4a9cffd339d846470edc9cafa30e63858cabab200f4a1519399c8b4227ff327b5017a835759b74a4cddea2e0c5d7e832831

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
8e849f5eb9b4a4924c422dcefc45a72e

SHA1
e9f8d59053927795f8212406c487862cd3d5baca

SHA256
a9cae55d32a426f6117a5c667d813fb9160faf24394004a450b51d70078c9bee

SHA512
502eee8fae2a751addfd679ff42cda6331f592a54f10c43b85a38654b16cc7171816126c54265cb26af386aaeae46ef6f48fc39f4c56c61356ad2cd0b15a3482

Download Submit
memory/404-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/404-1784-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download