57b143081e53b1c43d37f46cc23423672bca6e15e5fc15d986f3f2c36d8f4fe8

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efef0de582e1bda8464f705d7883e020N.exe
Size

34KB
MD5

efef0de582e1bda8464f705d7883e020
SHA1

e5888be17faed88f9914ba8d71fb2e4d045e6d2f
SHA256

57b143081e53b1c43d37f46cc23423672bca6e15e5fc15d986f3f2c36d8f4fe8
SHA512

7165893142fd76f7c97cd2c8ad943318d52f1d63d5cb66e082031afa0514d8c7d0169651df7c61db1cbe57f03d7d7f401fa6636eae4a2f47c38cbaaea80f6f0b
SSDEEP

768:kBT37CPKK1EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeIiKxL:CTWJGpGE

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4226) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4252-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023461-2.dat	upx
behavioral2/files/0x0014000000022923-6.dat	upx
behavioral2/memory/4252-958-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	efef0de582e1bda8464f705d7883e020N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efef0de582e1bda8464f705d7883e020N.exe

C:\Users\Admin\AppData\Local\Temp\efef0de582e1bda8464f705d7883e020N.exe
"C:\Users\Admin\AppData\Local\Temp\efef0de582e1bda8464f705d7883e020N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
34KB

MD5
262fde4bd77109dd939cd6e6f91f1c43

SHA1
7263e8eb9775aa961d3c1a6c577dc2c079c94384

SHA256
22c202442b9062b57886b3d39d8e3cb1bcd5995b9e115ef91c229e6505e36564

SHA512
e268ad2c4ef1d75aac3ee9659ffc7af24092b3f6b303c21c7568efbc463ceced76a51c1e256dc5fa0c649c0f6be5709d7758a2f1d6631ff2c2eed22be0e9e821

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
133KB

MD5
06e8feefd0d9444373bf8134391e842a

SHA1
3ae7867f5330f197d0855165b43e4b6e5f4d480a

SHA256
107f2f2d53233858086db997c936fe0e50320f08aa3468c09daa0bb9d059a984

SHA512
370727170e3d813e829d8c0a878977d0cdf84208ad75df6bf5ec74a68d2d9486c17d5c3bb5872d607196b83d1cfb8d33fb9935fbeeb4158f814ecf297550d65e

Download Submit
memory/4252-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4252-958-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download