cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7

General

Target

cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
Size

43KB
MD5

e01c1638bacf8a0afcbbc610f094980c
SHA1

cab1b1140732829bafcb6c6c29715884e5047f3d
SHA256

cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7
SHA512

52f26ae25bfd84090bd2c4a5b3e12c03632848231a6402fe59c1d552264558ac4cc32b3dfb7d63a1141136c27ecc0e669ff22c69a1ec21a6529f02ebd0db3406
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBN:V7Zf/FAxTWoJJZENTBN

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3224-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3224-1620-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sw.pak.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\dxil.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe

C:\Users\Admin\AppData\Local\Temp\cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe
"C:\Users\Admin\AppData\Local\Temp\cceb50fd37251a40439a37d5159cc11d052a14cce28075790871cf90dd96e8b7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
43KB

MD5
b19894827ba3c2d8eb951d590fc729b2

SHA1
bb6857f2996d545dddc9dc09fccbc16af26f13cc

SHA256
65c544af4a18afb248babaa9f2f97ba9d85148ac74bc2cd76d3a22709851826d

SHA512
79773a828bd64ec84039cf7825266516a35f2db4a5927b6c3fa9acdf130498ae50fe846e4a3d5e651e7ddba20e3d27e30fc78e9173ceed96993df5afe0fc8655

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
5e6fa507cac449b3149bc1a522adbb98

SHA1
fe0838967bd701d552aa8cdc97fd8655a2a35b23

SHA256
15c1c46a5c987cb9b0f7b32c6acd5ce94c4bc6cc1c60b04ad0898dab0c69fa21

SHA512
082eee01360378542965d9a046f7fbd015178989007e50023a887e803ce6721d254e48818237503b5ce2784c0d57550069e3e650e3a9c4b1d89e81c565c71c8b

Download Submit
memory/3224-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3224-1620-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads