baaa7bd6789404e4916e2759b94ab1a345beadf6ac5a36b0d585b9f5edf5aed0

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 23:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

132110b1fb0f321ff7bf7af41e40d160N.exe
Size

924KB
MD5

132110b1fb0f321ff7bf7af41e40d160
SHA1

96d9b3468eac437cd0d3b077152ee4800556b688
SHA256

baaa7bd6789404e4916e2759b94ab1a345beadf6ac5a36b0d585b9f5edf5aed0
SHA512

6ddaba233228a0802cf50dff99653f696c60ef323c2006b0184daf91a893734cc11d3a15aed23103831eeae7f5f148d89278abdc565a8e1c04f3173939eef6ac
SSDEEP

24576:p5MTl31GZzzye1kWkhCkhVvlQuLM4paA24QQ0gaiirmMzQlVWTnk7ZqDy:rdzV/Vg7

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2268-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00080000000234ab-2.dat	upx
behavioral2/files/0x0014000000022923-6.dat	upx
behavioral2/memory/2268-696-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	132110b1fb0f321ff7bf7af41e40d160N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	132110b1fb0f321ff7bf7af41e40d160N.exe

C:\Users\Admin\AppData\Local\Temp\132110b1fb0f321ff7bf7af41e40d160N.exe
"C:\Users\Admin\AppData\Local\Temp\132110b1fb0f321ff7bf7af41e40d160N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
924KB

MD5
6e45fef8eb39d1be70556c5713b740ae

SHA1
95c454be86142aed6aa879d8dc16c784df1f62e9

SHA256
c5f22eb9e6d6eac832263509b441f19f37fa3491c25e3b23f9abc692336cecd8

SHA512
1f191bdd4d3a1550272eca97bd4ffdaba307ec974d99d984e5827cf23380716a3cd9a5bb40d9b4aa29b329a8fd689083c17eca0481b2ebd6cf1826ba5602c3c5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
1023KB

MD5
77bf47ee76926c5c74286db780680eee

SHA1
b51ae5f0a274fdee1d552d00dc25785f7d594450

SHA256
7e3aa3efe02ab7bee58adda9436736164af11d6662ec3df9f9eeeef7bf00e1cd

SHA512
6328dca40fd4f6a91ecf162a512ddb412750886542ff933abf6d9e386d5fd158676c52dd149868b5f894fdb0f9a74598a05041a6951605cda96c997d4590a26e

Download Submit
memory/2268-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2268-696-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download