45ebed0e3460531fafe88e5cf70ded1dcc0129d5c19b3d1cc208abae383b5a7a

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7faa2ad683d192a630fa0036d4640c50N.exe
Size

61KB
MD5

7faa2ad683d192a630fa0036d4640c50
SHA1

6f3468fee6bdc074a283bb7e30af2b970e1c86c6
SHA256

45ebed0e3460531fafe88e5cf70ded1dcc0129d5c19b3d1cc208abae383b5a7a
SHA512

b69876f5b731aa0e4bb0d1dade2bc9eaff05c67f9061a7c71188346aa5583e1f56403a68dd736bf3799032bc82a105d8aee9cbc26509d7a049b24b7a81b60c52
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJTU3U2lRt8BT37CPKKdJJTU3U2lRtw:V7Zf/FAxTWoJJTU3UytaTW7JJTU3Uytw

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (2174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2172-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x00090000000234e8-2.dat	upx
behavioral2/files/0x000600000001e5db-6.dat	upx
behavioral2/memory/2172-1506-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\zh-TW.pak.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\default_apps\external_extensions.json.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\id.pak.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jmc.txt.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	7faa2ad683d192a630fa0036d4640c50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7faa2ad683d192a630fa0036d4640c50N.exe

C:\Users\Admin\AppData\Local\Temp\7faa2ad683d192a630fa0036d4640c50N.exe
"C:\Users\Admin\AppData\Local\Temp\7faa2ad683d192a630fa0036d4640c50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
61KB

MD5
991b94e5cc4ad00319faac4998f4b497

SHA1
fafc4fc06c0fd7e91135db374beaaf8643e8b452

SHA256
deb36b0f6332c2a1f0e72cdaf1933164112e2f4539b0ee14d3b3770773fd2e30

SHA512
10fcc0e50348d33f55ed7962ad415bb082be6e83becd2778aaadce0c457ee0b723d02bb471e3226d18c95840c9d5cacd872d344969f7e0904368fee1fb54c295

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
160KB

MD5
912386ae11ecd226fba06ff1897b4404

SHA1
c4aaa967c4869ca6bdf2824bedaba8e93df662bb

SHA256
e9079060bbb4e58586d68f933861ca5ab60c09e3a70477c9e6b985bb0601b624

SHA512
ce98fbf22dcadf789720bbd0bab5cf16aef6b3eabc05ce2242a62cf655ef7b4d98b334e86035bef73b09cbe82614f2b7dfc91e14b32ba2b1231e5562da8668c8

Download Submit
memory/2172-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2172-1506-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download