95668b1e4ddce8f5703e7f85600ab68a00780e875e66c73bba1b3b3483d30a7c

Analysis

max time kernel
96s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

378a82d02ea15f414fa4063fac68e780N.exe
Size

102KB
MD5

378a82d02ea15f414fa4063fac68e780
SHA1

319c42af1b7b41a436fcf2fcd82278e2e46b36f9
SHA256

95668b1e4ddce8f5703e7f85600ab68a00780e875e66c73bba1b3b3483d30a7c
SHA512

b79e88ae4842ffd004baeff2fc3d2d88aaba21fa97efd5bd51c459000b855ac1b955d5ad79c9cb2806432212641c8ed9780ff22590fb71ea2d0d9a3596c3f696
SSDEEP

1536:V7Zf/FAxTWoJJXV6Z5P4xHsthhg/G5ukR+7bHl4vaMPpxIjCTk6G2KZ8qoazwbgi:fny1bHg

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2582) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3504-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000233fa-2.dat	upx
behavioral2/files/0x000600000001e5db-6.dat	upx
behavioral2/memory/3504-1682-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\ConvertExport.sys.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	378a82d02ea15f414fa4063fac68e780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	378a82d02ea15f414fa4063fac68e780N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	378a82d02ea15f414fa4063fac68e780N.exe

C:\Users\Admin\AppData\Local\Temp\378a82d02ea15f414fa4063fac68e780N.exe
"C:\Users\Admin\AppData\Local\Temp\378a82d02ea15f414fa4063fac68e780N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
102KB

MD5
82f0c911e61a2ad0d2dc365a98ef5af5

SHA1
1930b7bfeddb1f7b4cc32b7022d0d488119b281b

SHA256
1d1fac664d30f4c91b0c8237d026b8e626b6ec27d2e056c1f9d4e0cbf1fb7425

SHA512
fcd51a32ee08a26dcf22f0f949cc32154539a591a7196e73d6593edd5dff74104fc3a289cb529d667b8b97260d804b3e8e3f9ef6771eb1f775b96669ae4a467b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
201KB

MD5
1b367e84dbe73ab87e8bb3c2bc118a90

SHA1
e3529230ccabe69ba57a1a0f4482fde480a524ee

SHA256
65283acb4a1935d296168910052ea594ec4315c3c71fe367e4bce0765a02a73f

SHA512
e1761c66cc821c170f4a77556a0a694c42a43c0f378f9415fdd28ae88a1bb8a66b1c24537ce140a6d4e49a3c96e0ae5678a4463da621be65deeda38db154ccf1

Download Submit
memory/3504-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3504-1682-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download