df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
Size

121KB
MD5

0c6a8177ea07f166252d05b97e1148fe
SHA1

aded01bfdfd4ead4c20fdd35ecbe045f7847e7c3
SHA256

df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e
SHA512

5ac0627ac762f3aeb5c83370b0871170f89b433be1e17d5adc5001363d327c51b2807e0b005e5c4becc5d3dc8392ee8e3a7c3aa0ea4c605b0dc7d7353d53423b
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZxJfe/X8F:fnyiQSo7ZxJOX8F

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1759) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2416-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000b00000001e5ff-2.dat	upx
behavioral2/files/0x0014000000022912-6.dat	upx
behavioral2/memory/2416-764-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome.dll.sig.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe

C:\Users\Admin\AppData\Local\Temp\df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe
"C:\Users\Admin\AppData\Local\Temp\df24ce4a918bcba04ff093b47ae04fe4b8a904c203ec8d52646ef6f67a9b597e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini.tmp

Filesize
121KB

MD5
07d205075b621b77793c6e6fb1cb81ac

SHA1
0fb5a225b62812fb6776eacbf25d766c3eaf72f4

SHA256
19d009888a488df873fbdb237194cdcf0923e9ecd216b1d8151b764abcc3de12

SHA512
6541ee7efd6e1a50f47d81c58499f82156389066cff8ddd684076d4774f788456188c2fd5327546a67b4949ad6aa8f61333dcf77411e7ac0175271c9f6224038

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
220KB

MD5
224f5316e267635a4b70f2d956c4fb85

SHA1
4b5b4c7589fa722bacaf9a4166f434f1a96c3e92

SHA256
42689e6932ac01189df3b05ed02684d4568ab6925b0d168d47677478613687c9

SHA512
157a9f7c76c87a953df6fa639e7630d865115933ca54142420efb189ecef0d9a1640ac91a3995afd425b0759d725561c8f50bbd4e601b04cece0e1c3e11b6486

Download Submit
memory/2416-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2416-764-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download