afdcd563555359734f6cb88618a2229abb9e07520ed029105f1b7a029b9533c1

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54d89b92663159aea64f8933838fe950N.exe
Size

22KB
MD5

54d89b92663159aea64f8933838fe950
SHA1

104579bb046c4fae70f38be6bf30d3cf44ebcd06
SHA256

afdcd563555359734f6cb88618a2229abb9e07520ed029105f1b7a029b9533c1
SHA512

f11af2e892f0d5c7d6b002bb59d57451654cafec9f4a725c33cef911fc4e97c59305a7f859232f67670c12d2de2dea514062b3ef722f25a2a68d9de454bb3243
SSDEEP

384:QOlIBXDaU7CPKK0TIhfJJPbUEobUE51lA:kBT37CPKKdJJTU3U2lA

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2853) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2928-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0009000000023457-2.dat	upx
behavioral2/files/0x0014000000022909-6.dat	upx
behavioral2/memory/2928-636-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClient.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	54d89b92663159aea64f8933838fe950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp	54d89b92663159aea64f8933838fe950N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54d89b92663159aea64f8933838fe950N.exe

C:\Users\Admin\AppData\Local\Temp\54d89b92663159aea64f8933838fe950N.exe
"C:\Users\Admin\AppData\Local\Temp\54d89b92663159aea64f8933838fe950N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
22KB

MD5
9c38621769633c9b5653ec0e0e7f297b

SHA1
6be72d714bdd3305be9791b989d5e004dd0a2868

SHA256
97790fed10ba30dca6d1028d47fe8a2d249c17da617423fff92ee627812a5e18

SHA512
9e83da4c11e08b0a3a0d960ff7e1cf340258cc0010cdb22e433d7e2c6b1fc61f465b5e0100d18d05cf087ecaff9484da1a9a6f0cb202152eeb24d3a788aaf851

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
121KB

MD5
aff06b1eb46b4176fee631527eb1bc78

SHA1
071b824f80bb0392cdcba29d6214e3f8f94d8e29

SHA256
15f3d4f9512ec08c9c0ede718b79caa7eb0b063ecaa6212bf61d3571db422276

SHA512
3908b5885aa6c2af18b02358cd951db36f73ac0d287eb511d4fe725938979bf844069b988f698213c34ca972c6e1981f29547708955a53d444e1b03d11d8e234

Download Submit
memory/2928-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2928-636-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download