7b06a47bdd0224152e6d58efee609003f26b155ebc9e5c70a0a22052d17f5e19

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beb3dff515626279b39af6dc15803ec0N.exe
Size

47KB
MD5

beb3dff515626279b39af6dc15803ec0
SHA1

8c93f770b59d9cb990fd3f235874158f1e5bf723
SHA256

7b06a47bdd0224152e6d58efee609003f26b155ebc9e5c70a0a22052d17f5e19
SHA512

295e7812ca228b1f08e0be37565725521ded01a8a3a58082374b752a6c79bbd944b3c9a09a647d890b66fbee73a5c285ec94bfd4acdb9452cc3b1170b447b47c
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJBZBZaOAOIB3jM2jMbNoddObiJfoddObiJ2:V7Zf/FAxTWoJJB7LD2I2IbumQ

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (1763) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3968-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023462-2.dat	upx
behavioral2/files/0x001400000002292d-6.dat	upx
behavioral2/memory/3968-1336-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\123.0.6312.105.manifest.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	beb3dff515626279b39af6dc15803ec0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beb3dff515626279b39af6dc15803ec0N.exe

C:\Users\Admin\AppData\Local\Temp\beb3dff515626279b39af6dc15803ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\beb3dff515626279b39af6dc15803ec0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini.tmp

Filesize
47KB

MD5
6957a68c5654fbfd50b5bb7a79058ae2

SHA1
a7ad24f7b903bdc59cbeed40983aa863216c8432

SHA256
fe6573a46118a8912dd8daac04a75c734a43ee04e6f14a57bfd7d1a2066c817f

SHA512
a53a224bd34acfd5347711a5ba64ed061b55cb9c540548ea3c8c448da43e0747173d512dc6d362fc6973b3b12a24032b4c799373d28a3693644b0284219aea23

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
b1fae1c0fc1a042b4db9034bf6135803

SHA1
4f4925ef2cd02701a58d891b8f482dd621c9afef

SHA256
b480d034cb9351111ee28f8979ef21d1cf142c3359414d8de776acba0254ffce

SHA512
f976ede42aab4c0e6708fb4b084c04e8f7d0bb254b4e492d2ba68d5053b94c58199d19dfc48a123896d2a9a50cb81bea2cb80b7f3590d087116cc94eb0543dd6

Download Submit
memory/3968-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3968-1336-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download