658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
Size

68KB
MD5

9255ee93a98f8a29153ce70438363df3
SHA1

c2b1cce8b3c65862275d990dd242c47af2d07b88
SHA256

658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1
SHA512

804cbef3e4886cbf7514bbb24d3cd2b3151047f72b8b928f4cf0a5ef8eca1e2c79b1d759b0859d632a54983bde3d8c10a43516ffda7cfe5588344c49bcc76695
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8zxviYiaEx5ck:KQSo4iYi7

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4754) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3824-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000900000002346d-2.dat	upx
behavioral2/files/0x0014000000022923-6.dat	upx
behavioral2/memory/3824-902-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jdk-1.8\jmc.txt.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\zh-TW.pak.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\hr.pak.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fi.pak.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe

C:\Users\Admin\AppData\Local\Temp\658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe
"C:\Users\Admin\AppData\Local\Temp\658506d33b08221c5d02632f2cd8d46d08a919876df4a69683492192c99771e1.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
69KB

MD5
e649b02ca4367e1797abed499aa847c0

SHA1
0ed598bb3e32ea6becfa81e27cad9bc43e9d4ffc

SHA256
cec1a205f19f2dc9e8a7f9d84626f9ec9d1a69c1e0068cc0f3c52c8ed8097722

SHA512
0d3b8e63faffbc6e417ef135e879c67cb8c1828555fbee141dd6d457ee65acd717d67f8a7c76de6c63d4ce86e0e2cf0e5136bd038e571617ce0f81754e66b6b6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
6fe7e398bbe62c7747132e763fcbf2f4

SHA1
4c4e89ddd212efc0270488513b64a91a2268c7e0

SHA256
cbb76c433a2506b568856403143cef05080dca5d9028317dd9800e36e35c635d

SHA512
b5bdbc6cbd715f96bee73eb3cb4d3a91609b8a2ff6dcf3ace61ee319f6bbb300533539d2d2f9124be4d2adc890df6b8e2c57e780b9fe27da7a6e3a0e278a32b8

Download Submit
memory/3824-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3824-902-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download