f300f813c63a8c44205bec46ddcd4d480cf6899c03a0f49e7270d0774e8e4241

Analysis

max time kernel
121s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ccbebd5a94637922c7000c6f6781460N.exe
Size

33KB
MD5

7ccbebd5a94637922c7000c6f6781460
SHA1

4ca386550493fbee492348fc7e72e58139226e00
SHA256

f300f813c63a8c44205bec46ddcd4d480cf6899c03a0f49e7270d0774e8e4241
SHA512

65956d9c1d58c2b3e8d11ad5fa2d80df8ba03044b3571d3938ea1d0a83c9f75be84ef7fbb0b519ad1ca2ee05fbdb6c951860ef6501ef96ca79b5a9c38a5ee659
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNyHF/MF/HggD5XGoxATHnTiUfNBU7I:CTW7JJZENTNyl2aPP

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1773) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4424-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00070000000234af-2.dat	upx
behavioral2/files/0x001400000002292d-6.dat	upx
behavioral2/memory/4424-320-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\BlockConnect.eps.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	7ccbebd5a94637922c7000c6f6781460N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ccbebd5a94637922c7000c6f6781460N.exe

C:\Users\Admin\AppData\Local\Temp\7ccbebd5a94637922c7000c6f6781460N.exe
"C:\Users\Admin\AppData\Local\Temp\7ccbebd5a94637922c7000c6f6781460N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini.tmp

Filesize
33KB

MD5
ea2e4ca3915deba3b153e4dabcef16ed

SHA1
0eb413a4ec918e645024e9eebaf0a0b4935db840

SHA256
2647f0785d6d15a0d902e9f54cb8926af93d95c9aea0fa893dba85ade4c7c64b

SHA512
f340b9f7257f7f06414c5df11076b16f940c7a426c18a05efffca6c2670a84e4190add37d2a8695c9430ced4db525611f43b6e463301b997b1a611d815e85098

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
132KB

MD5
d910ef01f42a20aa0106cb0f8b4b8711

SHA1
144570af2f9545e2333e25ae739051ac33f93483

SHA256
3b2de6abc17e608e454f100afd80d66050efd9c05dd1786e0657a22323db3dda

SHA512
ff4fb7b125462a75fd309989e69320ed68d6e1df3e83854e580ad0e16119230b96d70f1b1f56754ffead0f3c66ead61fceced0effadba2c3e31218acbc1ee3bb

Download Submit
memory/4424-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4424-320-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download